Exam Reviews

70-292: An Administrator's View of Windows Server 2003

This exam covers lots of Windows 2003 ground, including new security, backup and recover, and software updating methods.

• By Andy Barkl
• 12/01/2003

So you've finally achieved your MCSA and now Microsoft has a new operating system out. It's time to gird yourself to plunge into another round of learning—but if you didn't like being on the cutting edge, you probably wouldn't have joined the ranks of high tech in the first place, right? This upgrade exam is a tough one. It covers the ground that is encompassed in two other exams. Unlike Microsoft's previous efforts with upgrade exams (namely, 70-240, the behemoth Accelerated Exam for Windows 2000), this test is a normal length and you can take it as many times you need to in order to master its intricacies.

In this review, I help you prepare by covering some of the most challenging objectives included in Microsoft's exam preparation guide. (In another review, I cover exam 70-296, which is part of the package deal for MCSEs on Windows 2000 who want to upgrade their credential to Windows 2003.) I focus on managing users, computers and groups, Group Policy, security, DNS, systems administration, Terminal Services, IIS 6.0, SUS, and disaster recovery in Windows Server 2003.

Users, Computers, and Groups
For the first set of objectives, "Managing Users, Computers and Groups," you may be presented with questions regarding the new command line utilities dsadd, dsmod and dsquery.

Tip: You can use CSVDE with a CSV file to batch-create accounts.

These commands don't replace the Active Directory Users and Computers MMC but allow for scripting automation to add, modify and query Domain user, computer and group accounts. The ADUC MMC includes the Delegation of Control Wizard, which is used to assign and control administrative permission at the Organizational Unit level.

Tip: To modify multiple user account properties with the ADUC MMC, select the items and then Properties.

Try to remember this: AGUDLP. If you haven't adhered to Microsoft's recommended method of managing folder and file permissions, you need to study! Accounts are placed into Global Groups, which are placed into Universal Groups, which are then placed into Domain Local Groups, where Permissions are assigned. Accounts can also be placed directly into DL groups.

70-292, Upgrade for MCSAs Reviewer's Rating This exam is tricky and requires you show your expertise with all that's new in Windows Server 2003. Focus your studies on managing users, computers and groups, Group Policy, security, DNS, systems administration, Terminal Services, IIS 6.0, SUS and disaster recovery. Status Available as of August 14, 2003. Exam Title Managing and Maintaining a Windows Server 2003 Environment for an MCSA on Windows 2000 (70-292) Who Should Take It Windows 2000 MCSAs and MCSEs who want to upgrade to their skills to Windows 2003. Preparation Guide http://www.microsoft.com/traincert/exams/70-292.asp

Windows 2003 includes two types of groups: Security and Distribution. Security groups are used in the traditional sense to group users for permissions to network resources. Distribution groups are used for e-mail only.

Administrators and Server operators have the default rights to create and manage shared folders. Read, Change and Full Control are still present and cumulative. NTFS permissions are also cumulative but the most restrictive rights prevail when combined with shared folder permissions—and Deny overrides all other permissions!

Files and folders can be encrypted with EFS, encrypting file system. EFS requires NTFS. Don't forget to brush up on how folder and file permissions can change or stay the same when copying or moving within a drive or between drives.

Active Directory objects such as user, group and computer accounts all have permissions assigned that can be inherited from higher levels or by using Block Inheritance, removed.

Group Policy Objects allow centralized management of user and computer settings throughout the network. GPOs can be used to perform a variety of administrative tasks, such as configuring desktop settings, controlling security settings, assigning scripts, redirecting folders and distributing software. GPOs are inherited by child domains from sites or child OUs within domains unless you enable Block Policy Inheritance, which can be reversed with No Override at a higher level. You can also filter inheritance with Read and Apply Group Policy permissions at the user or group level.

Table 1. The Path to an MCSA on Windows Server 2003

Standard Path Upgrade Path for MCSAs/MCSEs on Windows 2000 Core Exams: Networking System (2 required) Core Exam (1 required) 70-290: Managing and Maintaining Windows Server 2003 70-292: Managing and Maintaining Windows Server 2003 for an MCSA on Windows 2000 70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure Core Exams: Client Operating System (1 Required) No other exams required. 70-210: Installing, Configuring, and Administering Windows 2000 Professional 70-270: Installing, Configuring, and Administering Windows XP Professional Elective Exams (1 Required)* * As lieu of the elective requirement, candidates can substitute one of the following credentials: MCDST, MCSA or MCSE. Likewise, candidates can also use these CompTIA exams in lieu of electives: - A+ and Network+ - A+ and Server+ - Security+ 70-086: Implementing and Supporting Systems Management Server 2.0 70-227: Installing, Configuring, and Administering Internet Security and Acceleration Server 2000, Enterprise 70-228: Installing, Configuring, and Administering SQL Server 2000 Enterprise 70-284: Implementing and Managing Exchange Server 2003 70-299: Implementing and Administering Security in a Windows Server 2003 Network

Resources
The main objective in the category, "Managing and Maintaining Access to Resources," is Terminal Services administration. The name has changed slightly—Windows 2000 Terminal Services remote administration mode is now called "Remote Desktop Administration" in Windows 2003. Terminal Services administration on this exam may include questions regarding the need for enterprise licensing servers and managing and troubleshooting connections.

Microsoft has made many improvements to Terminal Services, such as the enhanced RDP 5.1 client, which allows many of local resources to be available within the remote session, including the client file system, smart cards, audio, serial ports, and printers.

Windows Server 2003 Terminal Services licensing is limited to 120 days, so the need for a licensing server is required if users can no longer connect after the evaluation period. Using the ADUC MMC, click on the User Properties, Sessions tab to can manage users' session limits for terminal services—the users' Environment tab allows for configuration of local drives and printers for a session. The Group Policy administrative template Terminal Services is used to control many other aspects of users' profiles and policies when remote connections are required.

The Active Directory Remote Desktop Users group controls who can log on remotely to a domain controller. Finally, the Remote Desktop checkbox on the Remote tab of System Properties allows for Remote Desktop Administration.

The Server Environment
The objective, "Managing and Maintaining a Server Environment," covers Microsoft's Software Update Service and Internet Information Server (IIS) 6.0. New to the Windows 2003 exams is SUS. Although it's an add-on component in a Windows network, it's required these days for deploying and managing client- and server-critical updates. Through the Automatic Updates option built into Windows 2000, XP and 2003, client computers can be redirected to internal SUS servers instead of being externally directed to windowsupdate.microsoft.com. This allows administrators to plan, test, and track critical updates to their networks.

A New Type of Question Exam 70-292 includes a new question type from Microsoft (see figure). The screen is split into three areas with the question at the top, pick-and-place items on the bottom left and configuration screens on the bottom right. A new question type splits the screen in three sections, which will require considerable scrolling action on small displays. (Click image to view larger version.) The areas are resizable just like frames of a Web page. This means you may have to do lots of scrolling and careful reading during the exam since many testing centers have smaller monitors that we're accustomed to on our desks. Many of the questions require selecting the correct button or checkbox on a simulated product screenshot. Microsoft offers a demo of all the new question types at http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp.

Tip: HFNetChk and the command line version of the Microsoft Baseline Security Analyzer, mbsacli.exe, can be used to check for both applied and missing security updates.

The Group Policy administrative template Windows Update is used to configure clients for automatic updates, service location, rescheduling, and the no restart option. The options for automatic updates includes: notify for download and install; auto download and notify for install; and auto download and schedule for install. Within the service location settings, the configuration for SUS service address and path for statistics server exists. The path for statistics server is usually in the form of http://susserver. SUS synchronization is a process where the server downloads the latest updates from Microsoft, the administrator approves the update, and clients are allowed to download and install the new update.

To conserve bandwidth, when configuring SUS for multi-language support, you should only select the required language for localized support. SUS server-to-server synchronization can save bandwidth as well when connecting to the Windows Update site and allow for enterprise control and administration. SUS administration is available via http or https using a Web browser. Finally, SUS requires IIS.

Tip: You can limit the amount of bandwidth required to download SUS updates via the Windows Server 2003 BITS (Background Intelligent Transfer Service), a bandwidth throttling technology.

Speaking of IIS, Windows 2003 has a new version—6.0. Out of the box IIS 6.0 is more secure by design and more stable because of application pools and process isolation. For the exam, be sure you fully understand IIS as it relates to Web sites, virtual and physical directories, files, host and cname records in DNS. IIS application pools allow for process isolation. Those pools are created using the IIS manager MMC, and by using the Virtual Directory, Directory or Home Directory tab of a Web site that's assigned to a Web site or process.

Tip: Multiple Web sites can be hosted on a single IIS server with unique IP addresses, port numbers or host headers.

Disaster Recovery
There's a lot to keep in mind for the topic, "Managing and Implementing Disaster Recovery." These objectives cover backing up files and knowing how to use system state data. It also covers new ground, such as Automatic System Recovery and Volume Shadow Copy Service.

Automated System Recovery (ASR) allows you quickly and automatically to bring a non-bootable machine to a state where you can run a restore program to recover data. ASR will configure the new storage devices and restore the operating system, all applications and settings. Here's the process:

1. Boot from a Windows Server CD and choose Automated System Recovery.
2. Provide access to the backup media and insert a floppy prepared for ASR.
3. Take a break—you'll come back to a working server with the operating system.
   

To use ASR, you have to prepare an ASR backup first. This is a regular system backup plus the ASR floppy disk. This disk contains important configuration information about the server's storage system as well as information on how to restore the backup.

When you boot from the product CD and press the F2 key, you'll enter the ASR bootstrap program. The ASR code in Windows setup knows how to read the ASR floppy disk to reconfigure the server's storage system. ASR will automatically invoke the restore program to restore the rest of the data from the ASR backup.

Tip: Access the backup portion of ASR through the Automated System Recovery Preparation Wizard located in the backup utility.

Volume Shadow Copy Service is another new feature. It allows administrators to create a point-in-time copy of user files, which the user can access and restore when previous versions are needed. These snapshots can save both the IT staff and users a whole lot of time usually spent waiting for manual restore operations of accidentally deleted files from tape. As the server administrator you can schedule the copy time—for instance, twice a day at 0900 and 1700 hours five days a week. If the amount of user data is great and changes often, you can store this data on alternate server volumes. Once configured per volume, users will find the Previous Versions tab in the properties selection for files and folders on a network shares. Users can then select View, Copy or Restore when they're presented with a list of read-only file and folder copies they can access. For more information, click here to read the white paper.

Even with all the new file management services, data and system backups are still a must with Windows Server 2003. You should know which is the fastest backup type—full, incremental or differential—and which is the fastest to restore or uses the fewest number of tapes. The answers to these questions are the same as they've always been! Incremental is the fastest but starts with a full backup. Differential offers the fastest restore, but a full backup uses the least amount of tape per backup cycle.

Tip: A new Ntbackup option, /snap, specifies whether or not the backup should use a volume shadow copy. If this option is disabled, open or in use, files may be skipped during a backup.

Server hardware failures happen! As I previously mentioned Windows Server 2003 offers ASR but it doesn't address all troubleshooting and repair needs an administrator may have. Other resources include Performance Console, Task Manager and Recovery Console to name a few. You should understand not only which tool to use when the fatal time comes but the purpose each serves. Be sure to try out each one to round out your expertise.

Name Resolution
In the portion of the exam on, "Implementing, Managing and Maintaining Name Resolution," you'll be tested on your knowledge of DNS, from installation and configuration to management.

Windows 2003 offers a new zone type, stub, which you'll want to study and practice with, and a feature called Conditional Forwarding.

A stub zone contains a copy of a zone with the original zone's SOA and NS records. This includes the authoritative servers for the zone and resource records needed to identify the authoritative servers. A DNS server hosting a stub zone is configured with the IP address of the authoritative server from which it loads. When this server receives a query for a name to IP resolution in the zone to which the stub zone refers, the server uses the IP address to query the authoritative server and returns a referral to the DNS server listed in the stub zone. To update its records, the stub-DNS server queries the primary servers for the resource records.

Tip: Although Microsoft recommends conditional forwarding for making servers aware of other namespaces, you can also use stub zones.

Conditional forwarding allows control of the name resolution process beyond the default forwarding that occurs between non-root and root name servers.

When you use conditional forwarding, DNS servers can be configured to forward queries to different servers based on the domain name in the query. This eliminates steps in forwarding and reduces network traffic. This is especially useful during a network merger.

Tip: Integrated DNS zones offer fault tolerance through Active Directory.

10 Things To Practice   Install, configure and manage all DNS zone types. You need to practice creating, managing, and maintaining DNS. Create DNS zones and understand how each is used and learn to troubleshoot problems! Download, install, and configure SUS on your network. Whether or not you plan to use Microsoft's patch management software, become familiar with it. Automated System Recovery. Run ASR even if you don't want to simulate a dead server. Be sure to follow the steps I outline in the main article and read the help files. Explore security. Try out the new security features of group policies and configure your server and clients to avoid the next big worm. Run MBSA and HFNetChk to check your results. Back up servers. Run server backups if only to a file as the destination. Just as important, restore the backups and verify EFS, compression and NTFS permissions remain the same. Implement terminal services. Using terminal services in the Remote Desktop Administration mode, you can become much more efficient managing servers. Manage Group Policy Objects. Create a few GPOs and explore the different computer and user settings available. Link a GPO to a parent OU and view the results of computer and user accounts changes within child OUs with and without Block Policy Inheritance and No Override. Install and configure IIS 6.0. Install IIS and configure Web sites for Application Pools using both the MMC and new command line utilities. Practice configuring and using VSS. Make sure you understand the client options for restore and Ntbackup options for more fault tolerance. Create and manage user and group accounts in Active Directory. Create user accounts for your family and friends using the new command line utilities. Add them to groups and logon with their accounts from a client or a second server. Change group scope and membership. Practice using the AGUDLP.

Network Security
For the exam objective, "Implementing, Managing and Maintaining Network Security," you'll be tested on your ability to implement secure network administration procedures and install and configure a software update infrastructure.

I've already covered most of the SUS implementation, configuration, and troubleshooting aspects you should understand, so let's turn to IPSec. To apply an IPSec policy in a domain environment, you must understand IPSec policy precedence. Unlike most Group Policy settings, which are cumulative, only one IPSec policy can be assigned to a computer at a time. If there are multiple IPSec policies assigned at different levels, the last one applied is the one that takes effect. IPSec policy uses the same precedence sequence as other Group Policy settings, which are from lowest to highest—local, GPO, site, domain and then OU.

Tip: IPSec is used to secure data when transferring it across the network, but EFS is used for local disk encryption.

New to Windows 2003 is RSoP (Resultant Set of Policy), which you can use to analyze IPSec policy assignments. RSoP is a Group Policy snap-in used to view IPSec policy assignments.

Once again, using the Event Viewer Application log, you can begin the process of troubleshooting IPSec. Read carefully, understand the question and view the exhibit to help make sense of the vague Event Viewer screenshots.

Network Monitor is a preferred tool for viewing real-time captured network data and can also assist when you're troubleshooting IPSec. Know the basics of this tool and make sure to get enough hands-on work with it so that you'll retain what you've learned. It'll come in handy on the job.

Additional Information You'll find study resources for Exam 70-292 within the Windows Server 2003 help and documentation. To get your free 180-day evaluation copy,click here. You can also find a lot of information online at the Windows Server Community page (click here). If you plan to attend instructor-led training to hone your Windows 2003 skills, check out course 2209: Updating Systems Administrator Skills from Microsoft Windows 2000 to Windows Server 2003, at Microsoft CTECs worldwide. If you lack prior experience with Windows, consider the five-day course 2273: Managing and Maintaining a Microsoft Windows Server 2003 Environment. Click here to review the course syllabus. Several publishers are coming out with titles to help you with self study. These include the following books: Microsoft Press has published one self-study title that covers two upgrade exams, MCSA/MCSE Self-Paced Training Kit (Exams 70-292 and 70-296): Upgrading Your Certification to Microsoft Windows Server 2003. MCSA/MCSE: Windows 2003 Upgrade Study Guide (70-292 and 70-296) from Sybex, ISBN 0-7821-4267-2, $59.99. MCSA/MCSE Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment Exam Cram 2 (Exam Cram 70-292) from Que Publishing, ISBN 0-7897-3011-1, $29.99. MCSE Exam 70-292 Study Guide and DVD Training System: Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 from Syngress Publishing, ISBN 1-9322-6656-9, $59.95. MCSE 2003 Certification Upgrade Kit: Exams 70-292 and 70-296, Syngress Publishing, ISBN 1-9322-6661-5, $99.95. MCSE/MCSA Windows Server 2003 for an MCSE/MCSA Certified on Windows 2000 Study Guide (Exams 70-292 & 70-296), Osborne, ISBN 0-0722-3058-4, $49.99. Available: March 4, 2004. Finally, I offer more tips on these exams in the chats I host at MCPmag.com. Be sure to read the transcript for the 70-292 chat by clicking here. —Andy Barkl

Final Report
This exam is challenging! If you've just begun to work with Windows Server 2003 in a production environment, studying for this exam will give you a greater appreciation for all that's new and cool in the operating system. Good luck!