Exam Reviews

Revisiting NT

This latest NT test isn't like a summer rerun—there's too much here you've never seen before. Yet it may be the easiest elective you'll get on your way to a new MCSE.

We've heard it both ways. Some Windows NT 4.0 administrators consider 70-244 an easy elective to blow through. Others are angry about the exam, believing that they've earned it from past exams and should be given credit for it, having already proven their knowledge of NT 4.0. They simply don't want to retest on older knowledge. So who's right?

Exam 70-244, Supporting and Maintaining a Microsoft Windows NT Server 4.0 Network, is probably one of the biggest shockers in the Windows 2000 track. It draws upon older knowledge, which may lead some of you to think this is a "gimme" test; yet it adds the latest features and service pack information and extremely realistic questions, making it a difficult exam. But I'll be honest: If you're certified on NT 4.0, here's your chance to grab an elective with minimal preparation.

The test goes through many of the older enterprise issues: trust relationships, permissions and arc paths. But you'll also stumble across roles with a whiff of Win2K; trusts within an NT 4.0 domain; the new Security Configuration Manager; utilities like syskey; Distributed File System (not new with Win2K, but released in NT 4.0's later service packs); and a smattering of IIS 4.0. In addition, you'll find a strong dose of TCP/IP questions relating to WINS, DHCP and DNS, which we all used to expect on the TCP/IP exam. Make sure you have a strong background in these topics.

All About NT Servers

When it comes to the topic of maintaining, optimizing and troubleshooting NT servers, test questions become more interesting when you can implement solutions with service packs. Likewise, this time around, you'd better know how to back out of a hotfix or service pack install if incompatibilities arise. You should also be aware of the various problems involved with hardware, like how to configure a single-processor server to use two processors (hint: Check out uptomp.exe).

NT Server 4.0 Network

Reviewer's Rating
"This one rolls up NT Server 4.0, NT Server 4.0 in the Enterprise, TCP/IP and IIS 4.0 into a single exam with a real-world twist to bring tears to your eyes."

Supporting and Maintaining a Microsoft Windows NT Server 4.0 Network

Current Status
Live as of April 2001.

Who Should Take It
Elective credit for the MCSE.

What Classes Prepare You
No single course. However, these classes offer training on technologies referenced in the exam:

  • 803: Administering NT 4.0; three days.
  • 922: Supporting NT 4.0 Core Technologies; five days.
  • 689: Supporting NT 4.0, Enterprise Technologies; five days.
  • 688: Internetworking Microsoft TCP/IP on Microsoft Windows NT 4.0; five days.

If you're new to NT 4.0 but have experience supporting TCP/IP-based networks, consider:

  • 983: Accelerated Training for Microsoft Windows NT 4.0; five days.
  • 934: Accelerated Training for NT 4.0 Enterprise Technologies and TCP/IP; five days.

We're all old friends with failed disks, and that means most of us already know how to handle RAID failures and how to recover. You also probably know how to create a boot disk that changes the boot.ini file to point off to the correct system partition by changing the arc path. You would want to know pagefile manipulation that takes into consideration the best scenario under the most extreme circumstances.

It's imperative that you use your knowledge of WAN connections and domain controller placement, especially concerning the proper location of backup domain controllers (BDCs) in your network. Remember that users get an access token from the PDC itself or from a strategically placed BDC. In the case of a network with multiple locations using limited WAN bandwidth between locations, it's wise to place a BDC at each location for faster logon times and to reduce traffic over the WAN link.

Backup and restore issues are important for NT experts to understand. If the budget allows, you'd want to shy away from using NTBACKUP, the default backup application within NT Server; but as an administrator you should be familiar with the different types of backup you can perform, like Normal (Full), Incremental or Differential, and what to do in the middle of a backup cycle if the server does stop working. Likewise, to help you justify the purchase of that third-party backup solution, you should understand the limitations of NTBACKUP as well as its workarounds.
Tip: Don't let the real-world aspects of a question throw you off. If you're asked about a particular type of hardware or a specific backup drive or library, just consider this spice in the question. Don't let it interfere with what you already know. Remember, Microsoft is a software company. Hardware details are there to confuse you (just like in real life).

Users and Groups

A good portion of information about users and groups is familiar to NT admins, but perhaps a bit more confusing to those who have only studied Win2K. An example is the trust relationships involved in allowing a user from one domain to access another domain. Because Win2K allows for two-way transitive trust relationships, don't forget that NT doesn't. You can't have two-way trusts, only two one-way trusts. Transitive isn't a possibility for NT domains either. When you combine NT and Win2K domains, the NT abilities are what come through.
Tip: NT used circles to represent domains, and Win2K uses triangles. Don't let the type of object used to describe a domain confuse you. Draw the design out on paper using circles if that makes you feel better.)

You need to be aware of the NT account policies that can be created to structure password security on user accounts. In addition to password information, you need to be familiar with the creation of user accounts based on templates to perform user creations quickly and efficiently. Likewise, understand profiles (local, roaming or mandatory) and know how to create a customized domain profile. Make sure you know where to place logon scripts and how to replicate those scripts.

These days, a lot of us are confused about local and global groups and user placement within those groups. With Win2K you can do all sorts of new things with groups, including nesting them within each other in a native domain. Remember: Users can go into global or local groups. Global groups can only be nested into local groups but not into each other in an NT 4.0 environment. Local groups can't be nested into any other group.
Tip: Because universal groups don't exist in NT 4.0, you can't use them in any type of cross-domain trust relationship between a Win2K and NT 4.0 domain.

Keeping Things Secure

A new topic in the Win2K exams involves the Security Configuration Editor (SCE), a tool that was released in more recent NT service packs. The SCE is an MMC snap-in that allows you to configure security for your NT network and then perform periodic analyses of the system to ensure that the configuration remains intact. The SCE provides a graphical analysis of what the recommended security settings should be, based on a selected default template of your choice (your options range from basic security to highly secure). The SCE will show you where your settings currently reside. You should know which options you want to change to meet the level of security you desire.
Tip: Get comfortable with the SCE and how it works, with the one column indicating the template setting and the other indicating what your system is set at.

Even experienced administrators may be unfamiliar with syskey, but you should know what it does to round out your knowledge of security. It was released with Service Pack 3 as a means of providing 128-bit encryption of the SAM. Once enabled, the only way to back out of syskey configurations is through a strategically created Emergency Repair Disk (ERD) process.

SMB signing, also released in Service Pack 3, is another topic to understand. You enable SMB signing through the registry. It verifies each packet sent between a client and server to prevent man-in-the-middle attacks on your network traffic or to stop active message attacks.

In addition, you should have a working knowledge of the different versions of NT LAN Manager. NTLM, NT 4.0's term for Microsoft's challenge/response authentication, was intended to increase security on the network. With the release of Service Pack 4, NTLMv2 was included to increase the security authentication mechanisms.
Tip: For more great information on NTLM v1 and v2, consider the TechNet article, "How to Disable LM Authentication on Windows NT" at www.microsoft. com/technet/support/kb.asp?ID=147706.

Pay special attention to the exam objective of auditing. How do you track down a user who's changing permissions and account passwords? How do you track a person who's locking out the administrators account? How do you manage auditing with logs? How do you audit the start-up of services or who creates trust relationships? You might be caught off-guard by the depth of understanding you should have before Microsoft considers you an expert in NT Server support and maintenance.

Access to Resources

Permissions on objects are big in any NT Server scenario. Remember the standards: No Access is always no access, whether or not a person has Full Control by being in another group. Memorize this formula: down, down, across. In other words, add up share permissions, add up NTFS permissions, and then combine the two across and take the more restrictive of the two, as shown in Figure 1.

NTFS Permissions
Figure 1. When you're trying to sort out permissions on objects, remember: Add up share permissions, add up NTFS permissions, and then combine the two across and take the more restrictive of the two.

Looking at this example, if John is a Manager and you want to determine his remote permissions on an object, you would add up his Full Control with Change and come up with Full Control permissions through the Share. You would add Change and Change on the NTFS side and come up with Change. But then going across you would combine Full Control through the share with Change on the NTFS side and be left with Change permissions remotely. (Remember, if John were also in the Sales department, No Access would take precedence.)

Distributed file system configuration and troubleshooting should be a comfortable topic if you have Dfs experience with Win2K. One type of configuration problem you might want to practice and figure out involves a structure wherein users should be able to connect to multiple Dfs servers that have copies of the same folder, but for some reason they can only connect to the root.

Print solutions have always been a strong part of NT objectives in the past and continue to be. Administrators should know how to allow one group to print ahead of another using priorities. You should know how to print large documents at night and what to do if jobs don't print. In addition, be aware of what to do if you need to move the spooler to a partition or drive with more space.

IIS 4.0 isn't initially installed with NT Server; it's an add-on with the NT Option Pack. Yet, it's still an important part of NT administration. Brush up on your Web and ftp configuration options, port numbers and security settings. Index Server is another aspect of IIS to study, including ways to prevent words from being indexed through the noise.enu file in the System32 folder.
Tip: For review, pick up an IIS book that thoroughly covers the subject and work with it a bit to get the concepts down—especially if you have little experience with this set of services.

Additional Information
Because this NT maintenance test is new, there isn't a lot of information out there on it. Yet, because we've seen many of the topics on the test covered elsewhere, there's a ton of information out to help you prepare. We suggest you go through the exam objectives posted on Microsoft's Web site at www.microsoft.com/
and make sure you know these topics.

Network Services

If you've been in the network business for a while, you probably know the important networking concepts, for example, how to handle TCP/IP addressing and subnetting and where to place DHCP servers. In addition, spend time reviewing how to troubleshoot DNS and WINS issues and use utilities like PING, IPCONFIG, TRACERT and NSLOOKUP to track down network problems.
Tip: Don't forget some of those traditional network concepts like Gateway Services for NetWare and Binding orders. Review material on these topics to fully round out your knowledge of network configuration.

To troubleshoot your Windows network, Event Viewer is your first stop for looking into problems. If your system starts to falter, you can use Performance Monitor to look into it. The standard troubles revolve around a lack of memory, a motherboard or processor bottleneck, or a hard disk problem. You can log your monitoring events over a period of time and read the results or import them into an Excel spreadsheet for analysis documentation. If you want to monitor the network itself and peer into packets, Network Monitor is included within NT 4.0 (although in real life you'd probably want a stronger tool on hand too).

Brush Up

If you're currently an NT administrator who has passed at least some of the NT 4.0 exams (especially NT Server 4.0 in the Enterprise), then you might just need to brush up on some of your older material, look into the topics I've mentioned, go through the exam guide from Microsoft, and tackle the test. If you've never worked with NT 4.0, I advise you to consider another elective, since this one won't be easy for you.

I don't consider this exam an instant point toward anybody's Win2K MCSE credential. In fact I'd certainly call it a challenge worth pursuing. Yet, it's the closest you'll come to an "easy" elective in the scheme of things. If you've been out of exam-taking mode for a while, think about starting here. It'll get you warmed up for the long haul.

I wish you success!


comments powered by Disqus

Subscribe on YouTube