You have one chance-and one chance only-to prove your expertise on Windows 2000. Here's what you need to understand to make sure you get through 70-240 victoriously.
Your Guide to Victory: True North on Your 70-240 Quest
You have one chance—and one chance only—to prove your expertise on Windows 2000. Here's what you need to understand to make sure you get through 70-240 victoriously.
Tackling Microsoft’s Accelerated exam is like
taking on any difficult endeavor you’ve never
really tried. You’ll never be sure you’re absolutely
ready beforehand, no matter how much preparation
you put in. But at some point you have to set
off. You have one chance—and one chance only—to
prove your expertise in one fell swoop. If you
fail, you’ll be like everybody else who wants
to get the new MCSE—going at it one exam at a
time. The intent of this article is to prepare
you for the exam as rigorously as possible. Read
it carefully. Do what it advises. Spend lots of
time preparing. If you do all of that, the leap
into the great unknown won’t be so mysterious
after all.
Who Gets To Take It
Accelerated Exam 70-240 gives you an alternative
to taking the four Win2K core exams, but it’s
not a shortcut to Win2K certification. The test
is every bit as challenging as the four core exams
it replaces. You need to know the material covered
by all four core exams (70-210, 70-215, 70-216,
and 70-217) if you want to pass.
To be eligible for your voucher to take 70-240,
you must have passed the following three Windows
NT 4.0 exams:
- Exam 70-067: Implementing and Supporting
Microsoft Windows NT Server 4.0
- Exam 70-068: Implementing and Supporting
Microsoft Windows NT Server 4.0 in the Enterprise
- Exam 70-073: Microsoft Windows NT Workstation
4.0
If you haven’t passed all three tests, you’re
not eligible to take 70-240.
And remember: Passing Exam 70-240 isn’t enough
to make you a Win2K MCSE. You also have to pass
one design exam and have two current electives.
Accelerated
Exam 70-240 |
Title
Microsoft Windows 2000 Accelerated
Exam for MCPs Certified on Microsoft
Windows NT 4.0.
Requirements
You have a one-time, free opportunity
to take the Accelerated Exam
if you’ve passed these three
Windows NT 4.0 tests:
- 70-067: NT Server 4.0
- 70-068: NT Server 4.0,
Enterprise
- 70-073: NT Workstation
4.0
What 70-240
Replaces
- 70-210: Installing, Configuring
and Administering Microsoft
Windows 2000 Professional
- 70-215: Installing, Configuring
and Administering Microsoft
Windows 2000 Server
- 70-216: Implementing and
Administering a Microsoft
Windows 2000 Network Infrastructure
- 70-217: Implementing and
Administering a Microsoft
Windows 2000 Directory Services
Infrastructure
What
Classes Prepare You
These classes aren’t
required for the exams; but
if you learn best with instructor-led
training, here’s the roster
of courses that will prepare
you for the Accelerated Exam:
- 1560: Updating Support
Skills From Microsoft Windows
NT 4.0 to Microsoft Windows
2000
- 2151: Microsoft Windows
2000 Network and Operating
System Essentials
- 2152: Implementing Microsoft
Windows 2000 Professional
and Server
- 2153: Implementing a Microsoft
Windows 2000 Network Infrastructure
- 2154: Implementing and Administering
Microsoft Windows 2000 Directory
Services
Deadline
This intensive exam,
which will be available through
Dec. 31, 2001, covers the core
competencies of exams 70-210,
70-215, 70-216 and 70-217. Vouchers
for the exam will only be distributed
through Nov. 1, 2001. The test
can be taken one time only.
If you don’t pass the exam,
you must take all four core
exams.
|
|
|
Now for the good news. Exam 70-240 is free! You
need to order your exam voucher on the MCP secure
Web site at https://partnering.one.
microsoft.com/mcp. Exam 70-240 will be available
until Dec. 31, 2001. However, you must request
your voucher by Nov. 1. The voucher number will
be e-mailed to you.
Remember how the test centers got jammed up with
people trying to get their NT tests done before
the February deadline? Microsoft expects the same
high demand at test centers as the Dec. 31 deadline
nears, and it doesn’t plan to extend the date.
To get the time and date you want, register early.
When you’re ready to use your voucher to register
for the exam, simply contact Prometric or VUE
and tell them you’re using the voucher to pay
for the exam. (Their contact details are included
in “Additional Information.”)
You only have one chance to take exam 70-240.
If you fail, you must take the four individual
Win2K core exams. Microsoft wants to minimize
unnecessary item exposure, so retaking a test
that you’ve already passed is considered a violation
of the non-disclosure agreement. That means if
you pass all four core exams, you can’t take 70-240.
Likewise, if you pass 70-240, you can’t then take
each of the individual core exams. However, you
can take some of the individual core exams and
then try 70-240 (an important strategy, as I’ll
soon explain).
About the Exam
The test is divided into four sections,
one section or subtest for each of the individual
core exams. Think of it as taking four not-so-long
tests in one very long session. You’ll have four
hours to complete the exam. There are about 100
questions, and they’re divided about equally between
the four sections. Each section is about an hour
long, with about 25 questions. You must finish
one section before going on to the next.
Tip: There’s no set order in which to
receive the four subtests, so don’t expect that
your test will start with the Professional exam.
The score is a simple pass/fail. You won’t receive
a score, a description of how you did on each
subtest, or a breakdown that corresponds to test
objectives.
Microsoft offers both traditional and adaptive
format exams. A traditional exam has a fixed number
of questions. You can go back and forward in the
exam, which means you can mark questions for review.
An adaptive exam varies in length. The test starts
with an easy to moderately difficult question.
If you answer that one correctly, the next question
is more difficult. If you answer the question
incorrectly, the next question is easier. This
process continues until the test determines your
ability level. From the test-taker’s perspective,
one of the most noticeable features of the adaptive
exam is that you can’t go back to review questions.
Once you answer a question, it’s graded and you
go on to the next. At the time I took Exam 70-240,
it was a traditional exam—meaning, non-adaptive—but
Microsoft reserves the right to change the testing
format at any time.
Tip |
Four hours is a
long time. If you think you’ll
need a bathroom break during the
exam, ask the staff at the testing
center how they prefer to deal
with this in a secure fashion.
When I took the test, I asked
the proctor before I was seated.
I think she thought it was a weird
question until I explained that
the test was four hours long.
|
|
|
Two Philosophies
Given the size and difficulty of the exam,
one of the first things everyone asks a trainer
is: “Help! How do I study for this exam?” QuickStart
Technologies Trainer Larry Passo passes on two
different philosophies to his students:
- I must pass! Study for all four core
exams. When you think you’re ready, pay to take
the one core exam that worries you the most.
For most people this will probably be exam 70-216,
Network Infrastructure, or exam 70-217, Directory
Services. If you pass, sign up to take 70-240.
You’re ready to go! If you fail the core exam,
study more or think about the next approach.
- I’m going to take the exam but I don’t
want an ulcer. Study hard, then go take
it. If you pass, celebrate! If not, you had
a wonderful, free, practice exam. Use what you
learned about your weak areas to get ready for
the individual exams.
Which one is a better choice? It depends. If
you need to keep your MCSE current when the end
of this year arrives, then you probably want to
take the first approach. In this situation, I’d
also recommend taking 70-240 sooner rather than
later. If you fail, you still have time to get
your certification upgraded before the deadline.
If you’re willing to let your certification lapse
for a while, then the second approach is attractive.
The test is free, so you might as well take it
while you have the chance.
Once you’ve made that decision, it’s time to
hit the books! Which are the best? Well, I started
working with Win2K when it was still in beta,
so I used the online help, pored over the Server
Resource Kit (when it came out), and spent a lot
of time playing with the product. In other words,
I didn’t use any books. They weren’t available.
Of course, for you it’ll be easier. Scads of
preparation guides exists. The materials—reviewed
in these pages every month—can help give your
study efforts a jumpstart.
My best advice for picking out a set of books
is this: Go to your favorite bookstore with the
huge technical section and grab a pile of Win2K
Professional books. Spend time reading a little
from each. Pick the one that makes sense to you.
Writers have their own styles, and you’ll be more
likely to read the book if you actually like the
way it’s written. Make sure the book you pick
has plenty of practice/step/how-to sections. Then,
after you’ve bought your favorite selection, do
each one of the practice labs. Then do this
for each of the core topics.
I tend to prefer four individual books instead
of a single upgrade book. Buying four books will,
of course, repeat some information, but that never
hurts when you’re studying. I find that this approach
focuses the reader on the objectives for a specific
exam. Remember: Exam 70-240 is actually four different
tests in one sitting. I think it helps to drill
down on a specific set of test objectives when
you study because that’s the way the exam is presented.
However, if you like the single-book approach,
then hit those shelves and yank out the all-in-one-volumes.
Be sure to check the content if you buy a single
upgrade book. To cut down the size of the book,
the publisher might skip some topics or only cover
them on an accompanying CD.
I also recommend that you supplement whatever
books you read with the Windows 2000 Server Resource
Kit. If there’s a topic not covered in much detail
in one of your books, odds are good it’s in the
Kit. Use it as a reference. As an added bonus,
it’s also a great guide for the design exams (and
a useful real-life administrative resource).
In the lists throughout this
article, I suggest tasks that you should complete
as you study for the exam. In the rest of the
story, I’ll take you on a tour of the new technologies
emphasized in each exam.
Knowing
Win2K Professional
As you’ve probably noticed by studying
the exam guidelines that Microsoft makes available
on this test, the Win2K Professional Exam has
seven major content areas. They include installation,
resource administration, hardware administration,
system performance, desktop management, networking
and security. Let’s drill down on each.
Win2K allows you to boot from the installation
CD-ROM, which really speeds up an attended installation.
If your computer doesn’t support booting from
the CD-ROM, you need to make boot disks with makeboot.exe
or makebt32.exe. Remote Installation Services
(RIS) is new to Win2K. You need to set up the
RIS server, which requires Active Directory (AD),
DNS and DHCP. Be aware that DHCP broadcasts aren’t
necessarily routed, so you need to make sure DHCP
clients can contact the DHCP server. RFC 1542-compliant
routers can send on DHCP requests. If your routers
don’t support this, you can install a DHCP Relay
Agent on the network segments without local DHCP
servers.
Make sure to understand how you can run Win2K
service packs against your shared network copies
of the Win2K installation files by invoking update.exe
with the –s option. In this way, after installing
new Win2K features, you no longer have to reapply
the service pack. Also be familiar with the WINNT32/
checkupgradeonly option and also the downloadable
CHKUPGRD.EXE tool to verify the compatibility
of the machine to be upgraded.
For resource management, make sure you know your
NTFS and share permissions inside and out. Compression
is an NTFS attribute, so when you copy and move
files, it behaves like NTFS permissions. However,
there are a couple gotchas. Encryption and compression
are mutually exclusive. You can’t compress an
encrypted file and you can’t encrypt a compressed
file. Also, it’s an NTFS attribute, so when you
try to copy a compressed file to a FAT partition,
it’ll be uncompressed. Encryption is a little
different from compression in that when an encrypted
file is copied or moved to a different Win2K NTFS
drive, it always remains encrypted. This is even
the case when copying to an NTFS drive on a remote
Win2K machine.
Printing hasn’t changed much from NT 4.0. You
still need to know the basics of printer management,
such as printer installation, how to set permissions,
configuration options such as printer priorities,
and how to change the location of the spool folder.
One new feature is Internet printing. The print
server must be running IIS, then you can connect
to a printer via a URL. Use http://servername/printers
to see a list of all printers on that server.
Use http://servername/ printersharename to go
directly to the page for that printer.
Win2K supports FAT, FAT32 and NTFS. Keep in mind
that the Windows 9x platform doesn’t support NTFS.
So if you’re setting up a dual-boot system, use
FAT or FAT32 for any partition that needs to be
visible to both operating systems.
The hardware management section of the objectives
really relies on experience. If you’ve set up
your share of computers, exam questions that cover
these objectives will be pretty straightforward.
If you haven’t, get your hands on some hardware.
Tip |
As a new feature,
Win2K supports multiple monitors.
|
|
|
Know how to configure offline files. By default,
Win2K Professional is enabled to use offline files
while Win2K Server isn’t. Even though your computer
is enabled to use offline files, you still need
to select the folders and files that you want
to make available offline. Use Synchronization
Manager to control how those files are synchronized
with the network. You can synchronize files at
log on or log off, when your computer is idle,
or according to a specific schedule. You can also
create different synchronization rules, depending
on the network connection the computer is currently
using.
Optimizing your computer’s performance is similar
to NT 4.0. System Monitor and is essentially Performance
Monitor in new clothes—the MMC or Microsoft Management
Console. Understand when you need an additional
CPU or just more memory. Hardware profiles are
also similar to NT. They’re most often used with
laptop computers to manage a docked vs. undocked
environment. Generally, you disable devices you
don’t need under a specific profile.
Windows Backup is your basic tool for backing
up data and the system state data. The system
state data on a Win2K Professional computer includes
the registry, boot files and COM objects. Be aware
that you can back up and restore data locally
or remotely. Backup or restore of the system state
data, however, must be done locally.
You should also know what comprises system state
data for servers. For Win2K servers, it includes
the same information as Win2K Professional along
with the certificate services database, if it
exists. Also, for Win2K domain controllers (DCs),
this includes the same information for Win2K servers,
plus AD and the Sysvol folder.
You have new options for troubleshooting boot
problems. Safe mode loads a minimal driver set
during start up. You can also boot to the command-line
Recovery Console. The Recovery Console can be
used to start and stop services, read and write
data on a local drive and format disks.
Tip |
New desktop options
include Regional Options, Faxing
and Accessibility Options. |
|
|
Windows Installer packages is another important
topic for the knowledgeable MCSE. Make sure you
understand the difference between assigning an
application to a user or a computer and publishing
an application to a user. When you publish an
application, it appears in Add/ Remove Programs
in Control Panel, and the application will automatically
install if the user tries to open a document supported
by that application (document invocation). What’s
the difference between assigning an application
to a user and publishing an application to a user?
Assigning creates shortcuts to the application
in the user’s Start menu, which will automatically
install the application the first time a user
attempts to use it; publishing doesn’t. Also,
applications that don’t support the new Windows
Installer format can’t be assigned; they can only
be published. Applications assigned to computers
are automatically installed the next time the
computer boots.
For TCP/IP, of course, you need to know the basics
for configuration and troubleshooting. Much of
what you need to understand here will be covered
in detail when you study for the Network Infrastructure
section of the exam.
Dial-up networking is alphabet soup. You need
to know authentication protocols backward and
forward, including EAP (extensible authentication
protocol), MS CHAP v.2 (Microsoft challenge-handshake
protocol), MS CHAP v.1, CHAP, SPAP (Shiva password
authentication protocol) and PAP. Also know your
VPN protocols, PPTP (point-to-point tunneling
protocol) and L2TP (layer 2 tunneling protocol).
When you create a dial-up connection, you can
share it with Internet Connection Sharing (ICS).
Understand how to set up ICS and how it works.
This is a really neat feature for connecting a
small network (like the one in your home) to the
Internet.
EFS, the Encrypting File System, is a new feature
of NTFS. Be aware that you can’t compress encrypted
files. Only the person who encrypted a file or
the designated Recovery Agent can decrypt that
file.
40
Tasks to Prepare for the
70-210 Win2K Professional Exam
|
Installing
Windows 2000 Professional
- Install Windows 2000 Professional
- Create an answer file and
perform one unattended installation
in which you boot from CD-ROM
and one where you connect
to a distribution server.
- Download the latest service
pack and apply it to your
Professional installation.
- Use slipstreaming to integrate
the service pack into a distribution
image of Professional.
- Set up a RIS server and
use it to install Windows
2000 Professional. (This exercise
should be done in conjunction
with the RIS exercises for
the AD exam. You may want
to put this one off until
you’re studying for that test.)
Administration
of Resources
- Practice with NTFS permissions.
What happens when you Deny
Full Control to Everyone?
- Copy and move files within
and between NTFS partitions.
What happens to the permissions?
n 8. Compress a file and then
try to encrypt it. Can you?
- Share a folder on an NTFS
partition and configure the
share permissions. How do
the share permissions interact
with the NTFS permissions?
- Use convert.exe to convert
from FAT or FAT32 to NTFS.
- Install a printer and configure
the permissions. Then use
your Web browser to connect
to the printer.
Hardware Devices
and Drivers
- Upgrade from a basic to
a dynamic disk.
- Configure spanned and striped
volumes.
- Set up a computer with
two monitors.
- Install an old driver and
then update it.
- Change the binding order
on your network adapter.
- If possible, install a
second processor in a computer.
System Performance
and Reliability
- Change your driver signing
options. Configure the computer
to block the installation
of unsigned drivers, and then
try to install one.
- Use Task Scheduler to schedule
a task.
- Set up offline files. Try
different synchronization
options.
- Use System Monitor to monitor
your computer’s performance.
- Set up hardware profiles.
- Back up your computer with
Windows Backup. Try it remotely
and locally. What happens
when you try to back up or
restore the system state data
remotely?
The Desktop
Environment
- Set up a roaming and a
mandatory roaming profile.
- Add an additional language
and use the locale indicator
on the Taskbar to switch between
languages.
- Deploy a Windows Install
package though a Group Policy
object. What’s the difference
between assigning and publishing
the application?
- Set up a fax.
- Configure Accessibility
options. Use Utility Manager
to start them automati- cally
when the computer starts.
Network Protocols
and Services
- Configure TCP/IP manually
and as a DHCP client. What
happens when no DHCP server
is available for the client?
- Create different types
of dial-up connections. Dial
up to the Internet, a VPN
connection and a remote access
server.
- Set the authentication
methods and data encryption
for a dial-up connection.
In what case is each authentication
method best used? How does
encryption interact with each
authentication method?
- Set up Internet Connection
Sharing. How do the ICS clients
need to be configured?
Security
- Use Encrypting File System
(EFS) to encrypt data. Try
to share an encrypted file.
What happens?
- Recover an encrypted file
with the Recovery Agent.
- Use the Security Configuration
and Analysis snap-in to compare
your computer’s security with
one of the standard templates.
- Take a look at the options
in the security templates:
basicwk.inf, compatws.inf,
securews.inf and hisecws.inf.
When would you use each template?
- Set up auditing.
- Configure the password
policy on the local computer.
- Create local users and
groups and assign them access
to resources.
- Create domain users and
groups and assign them access
to resources.
|
|
|
Mastering
Win2K Server
According to the exam guidelines for this
portion of the Accelerated test, there are seven
major content areas for the Server exam. They
include installation, resource administration,
hardware administration, system performance, storage
use, networking and security.
Understand the consequences of upgrading PDCs
and BDCs. You must upgrade the PDC in an NT 4.0
domain before you can upgrade any BDCs or even
install a new Win2K DC. If you simply go ahead
and install a new Win2K DC, you haven’t upgraded
the NT domain; instead, you’re trying to replace
it!
Resource administration concepts are similar
to those you need to understand for the Professional
exam. You need a thorough knowledge of NTFS and
share permissions. You also need to know how to
provide print services to non-Windows clients.
For example, how do you set up a printer so that
a Unix client can use it? And how do you set up
a Unix printer so that a Windows client can use
it?
Dfs (distributed file system) is a new feature.
You can create a stand-alone Dfs installation,
but it won’t be fault tolerant. Domain-based Dfs
is fault tolerant. You can create replicas of
folders so that data is accessible, even if one
copy of the folder is offline.
Web files and folders are covered in the objectives,
so study the MMC for IIS. Understand how to configure
site properties and permissions on folders. (There’s
a Web sharing tab on the properties dialog box
of each folder.)
Tip |
System Monitor is
similar to NT Performance Monitor.
You also need to understand how
to stop processes and set priorities
with Task Manager. |
|
|
The hardware management section of this exam
really relies on experience. If you’ve set up
your share of computers, you’ll be prepared. If
you haven’t, get your hands on some hardware.
Make sure you get plenty of practice with the
Device Manager tool and understand how you can
use it to update the installed version of the
driver you’re using. Driver signing is a new feature.
You can Block, Ignore, or Warn when a user tries
to install an unsigned driver. You can also set
these options with GPOs (Group Policy Objects).
Backup is similar to the Professional exam, with
one big exception: when restoring a DC, you must
understand the difference between an authoritative
and non-authoritative restore of AD. This topic
is also covered in the Directory Services exam.
How much do you know about disks and volumes?
Win2K introduced basic and dynamic disks. Basic
disks are also used in NT and Windows 9x computers,
but dynamic disks are only used with Win2K. You’d
better understand disk mirroring, RAID and fault-tolerance
concepts, hot-swappable drives, and how to recover
failed drives.
Data compression and disk quotas are new to Win2K.
Be aware that quotas measure uncompressed disk
space, so a user may get an out-of-space warning
even if it looks like he or she has some space
left.
As a certified professional, you need to be able
to set up the server side of the virtual private
network or VPN. Know the “alphabet soup” of VPNs
and authentication protocols. Make sure you’ve
studied Routing and Remote Access. Do you know
which options are set up with policies and which
are set with profiles? Also, configuration options
will change, depending on whether your domain
is in Mixed or Native mode.
Terminal Server is a big new topic. It runs in
two modes: remote administration and application.
Application mode runs applications on the terminal
server and can also be used to control a user’s
terminal services session remotely.
As I mentioned in my coverage of the Professional
exam, EFS is a new topic for Windows 2000. As
administrator, you must be able to recover files
that have been encrypted.
NT and 9x computers can’t use the new GPOs of
Win2K. For these clients, you need to be able
to integrate System Policy into your Win2K environment.
Note that Win2K Professional computers won’t take
System Policy from Win2K DCs, but they will take
it from NT 4.0 DCs—a big problem if you’re in
the middle of an upgrade!
Users, groups, password policies, auditing and
user rights are all similar to how they function
in NT. Security templates are a new topic. Know
how each of the different standard templates affects
the security configuration of the computer.
40
Tasks to Prepare for the
70-215 Win2K Server Exam |
Installation
- Install Windows 2000 Server.
- Promote a Windows 2000 Server
to a DC.
- Upgrade a server from Windows
NT 4.0 to Windows 2000.
- Upgrade an NT 4.0 domain
to Windows 2000.
- Perform an unattended installation
from a distribution server.
- Download the latest service
pack and install it on your
server.
- Install and configure a
printer. Set permissions.
- Create a printer pool.
- Configure printer priorities.
- Install and configure a
printer that can be used by
Unix clients.
- Install and configure a
printer that will allow Windows
clients to print to a print
device physically attached
to a Unix computer.
- Review NTFS and share permissions.
(You studied them for the
Professional exam.)
- Set up a stand-alone Dfs.
- Set up a domain-based Dfs
and create a replica.
- Configure Web site properties.
- Configure file permissions
for files in your Web site.
Hardware Devices
and Drivers
- Configure driver signing
options on the server.
- Install an old driver and
update it. Take a look at
the Windows Update Web site.
- Use Task Manager to set
the priority of a process.
- Use Task Manager to end
a process.
- Use System Monitor to monitor
your server’s performance.
- Use Windows Backup to back
up the server locally and
remotely. What happens when
you try to back up and restore
system state data remotely?
- Back up the system state
data on a DC. Perform an unauthoritative
restore and an authoritative
restore.
- Upgrade a disk from basic
to dynamic.
- If possible, create mirrored
and RAID-5 volume.
- Remove a drive so that
your mirror or RAID-5 volume
fails. Then recover from the
failure.
- Configure disk quotas for
all users and for a few specific
users.
- After configuring disk
quotas, log on with an account
that has a small quota, and
copy a large amount of data.
What happens when you exceed
the quota limit?
Network Connections
- Install and configure DNS.
(You’ll need to do this when
you set up your first DC.)
- Install and configure DHCP.
- Set up a VPN on the server.
Have a client connect to the
VPN.
- Set up Routing and Remote
Access as a remote access
server.
- Create a remote access policy
and a remote access profile.
What are the implications
of a Native mode domain vs.
a Mixed mode domain?
- Install Terminal Services
as remote administration server.
Connect to your server remotely
and administer the server.
- Install Terminal Services
as an application server.
Install an application on
the server. Run the application
as a remote user (not an administrator).
- Set up the Terminal Server
(in application mode) for
remote control. Try to control
the remote client’s terminal
services session.
- Install NWLink and GSNW.
If possible, create a gateway
to resources on a NetWare
server. What happens if you
configure NWLink to use a
frame type not currently in
use on your network?
- Create an NT 4.0 Group Policy
and make it available to an
NT 4.0 client from a Windows
2000 DC.
- Review the EFS, auditing,
password policy, and user
and group exercises you completed
as you studied for the Professional
exam.
- Review the security template
exercises that you completed
as you studied for the Professional
exam. This time, look at the
server templates instead of
the workstation templates.
|
|
|
Inside
the Win2K Network Infrastructure
You need to be an expert in eight major
areas for the Network Infrastructure exam. These
consist of DNS, DHCP, remote access, network protocols,
WINS, IP routing, NAT and certificate services.
This section is often considered the most difficult
part of the exam. In my opinion, the thing that
makes this part of the exam so difficult is the
large and diverse number of topics that it covers.
Let’s start with DNS. The basics are the same
as NT 4.0, with two important additions: dynamic
updates and AD (AD)-integrated zones. Win2K DNS
is actually Dynamic DNS. That means statically
configured clients can automatically send their
IP and host name information to the DNS server.
When using DHCP with a Win2K client, the default
behavior is that the PTR DNS record for the client
is updated by the DHCP server and the DNS record
is updated by the client. (Of course, older, non-Win2K
clients don’t know how to do this.) AD-integrated
zones store the zone database in AD. This is usually
Microsoft’s preferred approach for implementing
a Win2K DNS structure. The approach has some real
advantages. Integrated zones support secure updates
and you don’t have to configure zone replication.
It’s taken care of as a part of AD replication.
DHCP also has some new features. An important
one is its ability to update the dynamic DNS server
with records for older clients. Win2K DHCP servers
need to be authorized to run in an AD environment.
This decreases administrative headaches, because
it makes rogue DHCP servers less likely.
Tip |
Non-Win2K DHCP servers
have no idea they need to be authorized,
so this doesn’t prevent someone
from installing an unauthorized
NT 4.0 DHCP server! |
|
|
You also should understand superscopes and multicast
scopes and when each is used. Another newer feature
you need to be aware of involves the client. If
a Win2K DHCP client can’t find a DHCP server,
it will assign itself an IP address using Automatic
Private IP Addressing (APIPA). An APIPA address
has the format 169.254.x.y, with subnet mask 255.255.0.0.
Option classes are another interesting new feature
that allows you to have different DHCP-assigned
values depending on the type of client, which
could be by function and/or hardware type.
The remote access objectives are similar to those
in the Server exam. One of the few new objectives
is RRAS and DHCP integration. RRAS leases addresses
from DHCP in blocks of 10 and passes them out
to client computers.
Tip |
As you study network
protocols, you’ll find plenty
of overlap with what you need
to understand for the Server and
Professional exams. For instance,
you need to know TCP/IP backward
and forward. You should also be
very comfortable with subnet masks,
always a favorite exam topic.
|
|
|
A topic new to this exam is IPSec (Internet protocol
security), which protects IP packets as they’re
transmitted over the network. Default IPSec polices
include Client (Respond Only), Server (Request
Security), and Secure Server (Require Security).
The Client policy allows plain text communications,
but will respond to IPSec requests and attempt
to negotiate a secure connection. The Server policy
has the server attempt to initiate a secure connection.
However, the server will allow communication with
a non-IPSec-aware client. The Secure Server policy
requires that all clients connecting to the server
be IPSec-aware. Note that this policy prevents
communication with unsecured clients!
If you’re up to speed on WINS for NT 4.0, the
WINS section of the exam should be a breeze. If
not, it’s time to hit the books. The biggest change
with NetBIOS in Win2K is that it’s no longer needed.
However, unless you’re working in a completely
Win2K environment, you need NetBIOS name resolution
and WINS for your older clients. You can disable
NetBIOS over TCP/IP on your Win2K computers, but
then they’ll have problems communicating with
older computers that use NetBIOS.
Win2K supports static and dynamic routing. With
static routing you manually enter the routes in
the routing table. Dynamic routing protocols such
as RIP and OSPF exchange routes among dynamic
routers. OSPF allows routers to exchange routing
information and create a map of the network that
calculates the best possible path to each network.
Problems can occur when the routing (link state)
database becomes too large. OSPF divides the network
into areas to combat problems associated with
large databases. A backbone area connects areas
to each other. Each router keeps only a database
for the areas to which it’s connected. Area Border
Routers connect the backbone to other areas.
Win2K supports two different solutions for translating
private IP addresses to public IP addresses: ICS,
already discussed, and Network Address Translation
(NAT). As I mentioned earlier, ICS is only intended
for use in very small offices or at home. Essentially,
you share the modem in one computer and set up
all other computers as DHCP clients. The computer
with the modem becomes a mini DHCP server (but
you can’t configure anything) and your gateway
to the Internet. Don’t use ICS if you’re already
running DHCP on your network or if you have more
than a single subnet. NAT is the solution for
most situations. It translates private IP addresses
into public IP addresses so that traffic can be
sent from your internal network out on to the
Internet. The NAT computer can also act as a simplified
DHCP server, although this isn’t required.
Certificate Services supports two types of Certificate
Authorities (CAs): Enterprise and Stand-Alone.
An Enterprise CA is integrated with AD. When a
user requests a certificate, the user’s credentials
are checked against the AD database and the certificate
is automatically granted or denied. A Stand-Alone
CA isn’t integrated with AD. When a user requests
a certificate, an administrator must review the
request. It won’t be automatically processed.
40
Tasks to Prepare for the
70-216 Win2K Network Infrastructure
Exam |
DNS
- Install DNS.
- Set up primary forward lookup
zone and a reverse lookup
zone.
- Convert your primary zone
to an AD integrated zone.
- Configure secure updates
and dynamic updates.
- Delegate a zone.
- Use NSLOOKUP to query the
DNS entries.
- Use new options of IPCONFIG
command on client to reregister
IP address with DNS, and also
to clear local DNS cache.
DHCP
- Install DHCP.
- Authorize the DHCP server.
- Set up a scope. Configure
common options such as default
gateway and DNS server address.
Set up a second scope and
create a superscope.
- Configure a multicast scope.
- Configure DHCP to update
dynamic DNS.
Remote Access
- Configure Routing and Remote
Access as a remote access
server.
- Create a remote access policy
and create a remote access
profile.
- Set up remote access authentication
and encryption protocols.
Configure a dial-up client
computer and determine which
protocols you should use to
connect to the RRAS server.
Test the connection.
- Set up Routing and Remote
Access to host a VPN.
- Configure Routing and Remote
Access for DHCP integration.
Network Protocols
- Install NWLink. Take a
look at the options, such
as frame type.
- Configure your network bindings.
- If possible, install GSNW
and connect to a Netware server.
- Configure TCP/IP packet
filters.
- Configure IPSec. Set up
transport mode and tunnel
mode. Take a look at cus-
tom IPSec policies and rules.
WINS
- Install WINS on two servers.
- Set up replication between
the two servers.
- Configure DHCP to provide
WINS server addresses to client
computers.
- Create static mappings in
the WINS server database.
For example, create a static
mapping for a Unix computer
that is not a WINS client.
- Know the NetBIOS node types,
such as b-node and h-node.
Configure a WINS proxy.
IP Routing
- Configure Routing and Remote
Access to support routing.
- Create a static routing
table.
- Install and configure a
dynamic routing protocol such
as RIP.
- Configure a demand-dial
connection using a modem.
Network Address
Translation (NAT)
- Use ICS to share a modem
and configure a client to
connect to the Internet though
the ICS computer.
- Install and configure NAT.
You can do this with a computer
that has a modem for the outgoing
connection.
- In this exercise, your network
has no DHCP server. Configure
NAT to assign DHCP addresses
to clients on your network.
- Configure a client to connect
to the Internet through the
NAT computer.
Certificate
Services
- Install a standalone CA.
- Install an enterprise CA.
- Issue certificates with
each type of CA.
- Revoke a certificate. Publish
the certificate revocation
list.
- Export and import EFS recovery
keys.
|
|
|
Detailing
Win2K Directory Services
You need to be well-versed in five major
areas for the Directory Services exam: AD, DNS
with AD, change and configuration management,
managing and optimizing AD, and security.
Alas, unlike the other exams in 70-240, you won’t
find much here that’s a repeat of NT 4.0. This
exam is all new. For that reason, it ranks right
up there with Network Infrastructure as the test
people most worry about. Fortunately, it doesn’t
have as many topics. You simply need a good foundation
in AD (if I can use the word “simply” in the context
of AD!).
Many of the installation topics are pretty straightforward.
Dcpromo.exe promotes a Win2K member server to
a DC. When run on a Win2K DC, it demotes the computer
to a member server by removing AD. A site is a
well-connected portion of your network. (Generally
speaking, “well-connected” means approximately
LAN (10Mb) speeds—so 56Kbps definitely isn’t!)
Site boundaries are defined by subnets, and sites
are connected by site links. Site links can be
configured to control replication between the
sites. In a fully routed network, you don’t need
to create site link bridges because all sites
using the same protocol are automatically bridged
by default. However, if your site isn’t fully
routed, you should disable default site link bridging
and create your own site link bridges.
Pay special attention to global catalog servers
and operations master roles. You need to understand
what each of the operations master roles does,
what happens when a master role is unavailable,
and what to do when a master is unavailable. Unless
there’s only one DC, the infrastructure master
role shouldn’t be on a DC that’s hosting the global
catalog. If you put both functions on the same
computer, the infrastructure master won’t find
out-of-date data and won’t replicate changes to
other DCs.
Tip |
If every DC is also a global
catalog server, it doesn’t matter
which DC is the infrastructure
master.
|
|
|
You need to understand AD backup and restore
with Windows Backup. Work with Ntdsutil until
you’re familiar with all of its options. It’s
used in an authoritative restore, to move the
AD database and to compact the database. (In this
case don’t forget to boot your server in Directory
Services Restore mode first.)
If you studied DNS for the Network Infrastructure
section of the exam, you should be almost up to
speed for DNS with AD. The emphasis is the integration
of DNS and AD. Non-Win2K DNS can be used with
AD if it supports SRV records. Microsoft strongly
recommends dynamic update support, but it’s not
required. BIND DNS version 8.1.2 and later meet
the requirements of AD.
The change and configuration management section
of the objectives could just as easily be named
GPOs and RIS. One of the best things you can do
to study for the exam (and for real life) is to
spend plenty of time in the Group Policy MMC.
The User and Computer configuration containers
have slightly different configuration options.
Make sure you can picture each container and the
available options.
Generally, you link a GPO to a site, domain or
organizational unit (OU), and the GPO affects
all of the objects in that container. However,
sometimes you need to modify that behavior. You
can modify GPO inheritance with the Block Policy
Inheritance and No Override options. You can also
use security groups to apply GPO to selected groups
of users and or computers.
Software deployment though Group Policy is a
new feature of Win2K, and one that Microsoft is
rightly proud of. Plan on knowing this well! As
I’ve already discussed, there’s a difference between
assigning and publishing an application. Know
the difference.
RIS is another new feature that you should know
inside out. An installation image is placed on
the RIS server. To create this image, you install
Win2K Professional on a standard computer. Configure
the OS as desired and install any standard applications.
Then run the wizard to add an image, which prepares
the image and places it on the RIS server. Like
DHCP servers, RIS servers need to be authorized
in AD.
Tip |
Every AD object
has an Access Control List (ACL)
that lists user permissions for
that object. You can assign these
permissions to grant administrative
privileges to an object. The easiest
way to do this is through the
Delegation of Control Wizard.
|
|
|
Managing and optimizing AD is your next topic
of study. Play with the MOVETREE command. Moving
objects within a domain is simple: Right click
an object and use the Move command. However, moving
between domains is a bit more complicated. MOVETREE
will move an object or a non-empty container to
a different domain. You can move empty Domain
Local and Global groups between domains. If they
have members, you can move them within domains.
You can also move Universal groups with members
within and between domains. Note that in all of
these cases the domains need to be in the same
forest.
Security topics like auditing and security templates
are similar to those in the Server and Professional
exams. However, the emphasis is different here.
Remember that you can assign security configurations
and audit policies through GPOs. They don’t have
to be set up individually on each computer.
40
Tasks to Prepare for the
70-217 Win2K Directory Services
Exam |
Active Directory
- Run dcpromo.exe to install
AD. If you have enough computers,
set up different domain combinations.
This can be done on two computers
by uninstalling and reinstalling
AD in each of the combinations.
If you have enough hard drive
space, this can also be done
on two computers, each of
which has multiple boots.
Try these: a) two DCs in the
same domain; b) the first
domain in a tree plus a child
domain; c) the first domain
in the forest plus an additional
domain in the forest.
- Use dcpromo.exe to uninstall
AD.
- Create and implement an
OU structure. Make something
that might work within your
current job environment. In
other words, make something
relatively sophisticated and
then use it for experimentation
as you practice other AD tasks.
- Create three or four sites.
- Create subnets and assign
them to the sites that you
created.
- Move a server object from
one site to another.
- Configure site links between
each of the sites. Make sure
you understand how to configure
options such as replication
interval, replication protocol,
and cost.
- Create a site link bridge.
(Note: This isn't required
in fully routed networks,
since all site links using
the same protocol are bridged
by default.)
- Create a global catalog
server. (Note: This is done
in networks with multiple
sites to prevent global catalog
queries from being performed
across slow WAN links.)
- Make sure you can transfer
operations master roles. Use
Ntdsutil.exe to seize a role.
What is the difference between
simply transferring a role
and seizing a role? Know the
effects of each role going
down.
- Use Windows Backup to back
up AD.
- Perform an unauthoritative
restore and an authoritative
restore.
DNS for AD
- Install DNS and set up an
AD integrated zone.
- Install DNS on a member
server and set up non-AD integrated
zones. Then run dcpromo on
another computer and use the
DNS server you just created
to provide DNS services to
your domain.
- Configure a zone for dynamic
updates.
- Configure an AD integrated
zone for secure updates.
- If you have access to a
non-Windows 2000 DNS server
that supports SRV resource
records and dynamic updates,
set up your AD environment
to use this server. (This
is a neat real life exercise,
but if you don't have the
equipment to do it, don't
worry. Just make sure you
understand the concepts.)
- Replicate data between DNS
servers.
Change and
Configuration Management
- Create multiple GPOs and
link them to OUs, domains
or sites. Make sure some of
the configured options conflict
with each other and then check
the resulting options on a
computer or user affected
by multiple GPOs.
- Modify GPO inheritance by
experimenting with No Override
and Block Policy Inheritance.
Try different combinations
and then check the resulting
options on an affected computer
or user.
- Use security groups to filter
the effects of a GPO. For
example, create GPO with a
very restricted desktop and
link it to the domain. With
filtering, make sure the GPO
isn't applied to members of
the Administrators group.
- Delegate administrative
control of Group Policy.
- Use Group Policy to assign
security templates, such as
securews.inf and compatws.inf,
to computers.
- Create and assign startup/shutdown
and logon/logoff scripts.
What happens when you assign
multiple scripts? For example,
assign a startup script to
a computer and then assign
a logon script to the user
of that computer.
- Deploy a software package
with Group Policy.
- Deploy an upgrade or patch
to a software package deployed
with Group Policy.
- Assign software to users
and to computers. Then publish
a package to users. How does
each of these deployment options
appear to the user?
- Use Group Policy to redirect
a folder (such as My Documents)
to a network server.
- Set up a RIS server and
create an image that can be
installed on the client. (The
RIS exercises should be done
in conjunction with the RIS
exercises for the Professional
exam.)
- Authorize your RIS server.
- Grant a user the right to
create computer accounts for
RIS installation.
- If you have the equipment,
connect to the RIS server
from a client that supports
booting from the network.
Also, use rbfg.exe to create
a boot floppy to connect to
the RIS server and start the
installation.
Components
of AD
- Delegate administrative
control. Give someone full
control of an OU. Give another
user the right to change passwords
for all accounts in the domain,
but no other administrative
abilities.
- Publish a shared folder
and an NT printer in AD.
- Set permissions on AD objects
to control access.
- Set up replication between
two AD sites.
AD Security
Solutions
- Create an audit policy
on a DC. For example, audit
logons, try to log on and
fail. Also audit access to
a file or printer, connect
to the resource, and then
view the audit results.
- Use the secedit command
to refresh a policy after
you make changes to the GPO's
settings.
- Use Security Configuration
and Analysis to open a security
template. Make some changes
to the template, save it with
a new name, and then apply
the new template to a computer.
- Create a security policy,
such as a password policy,
and apply it to the domain
with a GPO.
|
|
|
It’s Waiting for You
There’s a lot of information covered on
this behemoth of an exam, but it’s passable! Get
yourself some study resources and try the homework
exercises. Then grit your teeth and take on your
future. Good luck!