Exam Reviews

Server Mania

To get through 70-216, develop your skills in server installation, resource and storage management, hardware expertise, system performance, and networking and Active Directory.

• By Jill Gebelt
• 11/01/2001

The Windows 2000 Server exam is one of four core exams required for a Win2K MCSE, and it’s the second exam most people take on their way to an MCSE credential. If you’ve already passed the Win2K Professional exam, you have a good base of knowledge for this one. [Click here to read Jill’s review of the 70-210, Win2K Pro exam.—Ed.] Of course, there are many new topics, but some topics will be duplicates from the Pro exam.

Microsoft describes candidates for this exam as people with a minimum of one year’s experience implementing and administering network operating systems in a large environment with multiple physical locations. This translates into the need for a lot of hands-on practice before you tackle the exam. Keep that in mind!

In general, I thought this exam was a little harder than the Win2K Professional exam, but not too much. Expect to see a few scenario and drag-and-drop questions. Most of the questions are multiple-choice, but they tend to be relatively long.

Microsoft offers traditional- and adaptive-format exams. A traditional exam has a fixed number of questions. You can go forward and back in the exam, allowing you to mark questions for review. On the other hand, an adaptive exam varies in length. The test starts with an easy to moderate difficulty question. If you answer the question correctly, the next question is more difficult. If you answer the question incorrectly, the next question is easier. This process continues until the test determines your ability level. One of the most noticeable features of the adaptive exam is that you can’t go back to review questions. Once you answer a question, it’s graded and you move onto the next. At the time of this writing, exam 70-215 is a traditional-format exam, but Microsoft reserves the right to change the testing format at any time.

Installation Issues
The first set of objectives for the Win2K Server exam covers installation. As always, before you start an installation, make sure the computer meets all hardware requirements.

You must be able to perform attended and unattended installations. To begin an attended installation, boot from the Win2K CD-ROM if the computer supports booting from the CD. If your computer doesn’t support booting from the CD-ROM, create boot disks with makeboot.exe or makebt32.exe. You can also start an installation over the network. Set up a server with a file share containing the contents of the \i386 folder. Boot the client with a network boot disk and connect to the shared folder. Start the installation by running Winnt.exe. Winnt.exe is used when you’re running a 16-bit environment. This is typically the case when you create a network boot disk. If you’re running a 32-bit environment, use Winnt32.exe.

For an unattended install, use the Setup Manager Wizard to create an answer file. An answer file contains the information required by Setup so you don’t have to enter anything during the installation. You can perform an unattended installation by booting from the Win2K CD-ROM or by connecting to a distribution server that contains the installation files. To perform an unattended install with the installation CD, save the answer file on a floppy with the name Winnt.sif. Boot from the CD, then put the floppy in the drive.

Tip: An unattended installation over the network is similar to an attended installation. Simply use the correct switch to specify the answer file when you start the installation (Winnt /u:answerfile or Winnt32 /unattend:answerfile).

Other automated installation methods include sysprep and syspart. The syspart parameter is used with Winnt32. It can be used when you have a master computer and target computers without similar hardware. Use the syspart switch to install the operating system on the second hard drive in the master computer. Syspart marks the drive as the active boot device, so when you move the drive to the target computer, it’s bootable.

Sysprep is used to duplicate disks. Install Win2K on a master computer. Also, install any applications that’ll be installed on all target systems. Then run sysprep and a third-party disk-imaging utility. Sysprep prepares the hard disk on the master computer for use with the disk-imaging software. When using sysprep, the master and target computers must have identical HALs and mass storage device controllers. Plug and Play devices are automatically detected by Win2K, so items such as network adapters and video cards don’t have to be identical.

Upgrading is another installation topic. You can upgrade directly to Win2K Server from Windows NT Server 3.51 and Windows NT Server 4.0. If you’re running NT Server 3.1 or 3.5, first upgrade to NT 3.51 or 4.0, then upgrade to Win2K. Upgrades get more complicated when you upgrade a Domain Controller instead of a member server. The first step in a domain upgrade is to upgrade the Windows NT PDC to Win2K Server. After you upgrade the PDC, then you can upgrade BDCs in any order.

Tip: Make sure you understand that you can run Win2K service packs against your shared network copies of the Win2K installation files by invoking update.exe with the -s option. This way, after installing new Win2K features, you don’t have to reapply the service pack.

Dealing with Resources
For resource management, make sure you know NTFS and share permissions inside and out. When you set permissions on a parent folder, new files and subfolders in that folder inherit those permissions. If you don’t want a file or subfolder to inherit permissions from the parent, you need to clear the “Allow inheritable permissions from parent to propagate to this object” check box. Know the rules for copying and moving files on NTFS partitions. When you copy a file or move a file to a different partition, it inherits the permissions of the destination folder. When you move a file to a different folder on the same partition, it retains its permissions.

The distributed file system (Dfs) organizes shared folders on different servers into a single, hierarchical structure, starting with a root located on a Win2K server. Instead of seeing many file servers (each containing shares), users see a few Dfs root shares. Users no longer need to know which servers contain what shares. A Dfs root may be standalone or domain-based. Domain-based Dfs allows for folder replicas, which create fault tolerance. Standalone Dfs doesn’t.

You need to know the basics of printer management, including printer installation, how to set permissions, configuration options such as printer priorities, and how to change the location of the spool folder.

One new feature is Internet printing. If the print server needs to be running IIS, you can connect to a printer via a URL. Use http://servername/printers to see a list of all printers on that server. Use http://servername/printersharename to go directly to the page for that printer. Also, know how to make your Win2K printers available to Unix users.

Tip: IIS is installed by default when you install Win2K. You need basic Web site management skills for this exam. Make sure you understand Web sharing permissions, as well as the basics of setting up and configuring sites.

Hardware Expertise
The hardware management section of this exam relies heavily on experience. If you’ve set up your share of computers, exam questions in this area will be straightforward. If you haven’t, get your hands on some hardware and start practicing. You need to know how to install, update and troubleshoot hardware drivers. Device Manager is the primary tool for driver management.

Tip: You should also be familiar with Windows Update on the Microsoft Web site.

Driver signing is new to Win2K. Microsoft has digitally signed drivers to help ensure quality. Drivers need to meet certain testing criteria before they can be signed. As an administrator, you can configure how the computer responds to signed and unsigned drivers. The default is to display a warning when it detects an unsigned driver. Other options include ignoring unsigned drivers and preventing their installation.

System Performance
Optimizing your computer’s performance is similar to Windows NT 4.0. System Monitor is essentially Performance Monitor spruced up-the MMC. Understand when you need an additional CPU or just more memory. You can also monitor the computer and manage processes with Task Manager.

Windows Backup is your basic tool for backing up data and the system state data. The system state data on a Win2K member server includes the registry, boot files and COM objects. On a Win2K Domain Controller, the system state data also includes Active Directory. When you restore AD on a DC, there are two general methods: non-authoritative restores and authoritative restores. In a non-authoritative restore, the DC is restored from backup, and the restored data is updated by AD replication. If you need to restore a deleted AD object, use an authoritative restore. In this case, you restore from backup and run the Ntdsutil tool to mark all or part of the directory as authoritative. The marked data will be replicated to other DCs after you reboot.

Tip: For a rundown on the restoration of Active Directory, read Jeremy Moskowitz’s article, “Active Directory: Back from the Dead,” in the February 2001 issue.

You have a number of options for troubleshooting boot problems. Safe mode loads a minimal driver set during start up. You can also boot to the command-line Recovery Console. The Recovery Console can be used to start and stop services, read and write data on a local drive, and format disks.

Storage Use
The Win2K Server exam places a heavy emphasis on disk management. Win2K supports a new type of disk: the dynamic disk. When you first install a hard drive, it’s a basic disk. To upgrade to a dynamic disk, you need at least 1MB of unallocated space. Know the vocabulary for both types of disks. Supported volume types include simple, spanned, striped, mirrored and RAID-5 volumes. Mirrored and RAID-5 volumes are fault-tolerant. You need to know how to configure and manage each of these types of volumes on both basic and dynamic disks. You also need to be able to recover from disk failures.

Quota management is new to Win2K. Disk quotas are assigned to volumes. You can set a default quota for all users on the volume, with different quotas for individual users. Quotas aren’t assigned according to group memberships. Users are charged for the files they own, but be aware that quotas count the amount of uncompressed disk space. A user with compressed files may be surprised to learn he’s out of disk space.

The other topic in this category is compression. Compression is an NTFS attribute, so when you copy and move files, it behaves like NTFS permissions. However, there are a couple of gotchas. Encryption and compression are mutually exclusive. You can’t compress an encrypted file and you can’t encrypt a compressed file. Also, it’s an NTFS attribute, so when you try to copy a compressed file to an FAT partition, it’ll be uncompressed.

Tip: Encryption is a little different from compression in that when an encrypted file is copied or moved to a different Win2K NTFS drive, it always remains encrypted. This is even the case when copying to an NTFS drive on a remote Win2K machine.

Making Connections
Although there’s a separate exam that covers networking services (70-216), you need a solid networking foundation to pass this exam. Make sure you have a good basic understanding of DNS, DHCP, WINS and TCP/IP.

You also need a solid understanding of Routing and Remote Access. Understand how to set up your server as a VPN server or as a dial-up Remote Access Server. Make sure you’re up to speed on the following protocols: CHAP, MS-CHAP (v1 and v2), EAP, PAP, SPAP and RADIUS.

When you set up a remote access server, you can create remote access policies to control who has access to the computer. Policies can specify the times and days the server is available or who can connect to the server based on group memberships. Each policy may have an associated profile, which sets properties such as dial-in constraints, authentication and encryption options.

Terminal Services allows clients to execute applications on the Terminal Server. Clients use terminal emulation software to send keystrokes and mouse movements to the server. Terminal Server does all the data processing and sends it back to the display. Terminal Server (TS) is installed in either remote administration mode or application mode. In remote administration mode, you have licenses for two simultaneous connections. This mode is intended to administer remote servers. When running application mode, TS delivers applications to client computers.

Tip: If you plan to deliver applications, you must install a Terminal Server License Server and purchase TS client access licenses from Microsoft.

Hardcore Security
The Encrypting File System (EFS) is a new feature of NTFS. Be aware that you can’t compress encrypted files. Only the person who encrypted a file or the designated Recovery Agent can decrypt that file. Note that this will cause problems if you try to share an encrypted file! Because EFS is an NTFS feature, encrypted files and folders are decrypted if you copy them to FAT or FAT32 volumes. Also, be careful when you copy encrypted files and folders to a different computer. The encryption certificate and private key used to decrypt the files are needed on that computer. If it doesn’t have them, you won’t be able to open the files.

Tip: Be aware that you need to be able to work with both local and domain user accounts. Local user accounts are stored on the local computer and are typically used in a workgroup environment. Domain user accounts are stored in AD and allow the user to gain access to domain resources.

Although this isn’t the AD exam, you do need a basic understanding of it. Specifically, you need to understand local and group policies in AD. Group policies are deployed by linking them to sites, domains or Organizational Units (OUs). Understand what happens when multiple policies are applied to a computer. Look at policy inheritance. For example, you can block policy inheritance at the OU level, but you can also set the No Override option for a group policy. If you set No Override, the policy can’t be blocked at a lower-level OU.

Other security topics include auditing and account policy. These are configured on the local computer through Local Security Policy. They can also be configured through group policy in AD. Account policy includes password settings, such as the minimum password length, and lockout settings, such as the number of failed logon attempts before the system locks you out. When you configure the account policy for a domain, it’s set at the domain level, not on individual OUs.

When you create an audit policy, be aware that auditing files, folders or printers requires two things: You need to audit object access and you need to configure auditing on the specific file, folder or printer.

Finally, look at security templates. They’re used to apply security settings to the computer. There are standard templates for basic, secure and high-security installations. Don’t use the hisec templates unless you have a Win2K-only environment. Computers running the hisec templates can’t communicate with older Windows clients! Good luck!