Exam Reviews

70-296: The Systems Engineer Challenge

This MCSE upgrade exam will test your Windows 2003 expertise, especially in the areas of DNS, group policies, trusts and Active Directory maintenance.

If you're working with Windows Server 2003 and you're already an MCSE on Windows 2000, Microsoft wants to ease your transition to its newest platform in its certification requirements. You can become an MCSE simply by passing two exams, 70-292, which I review here and 70-296, which I review in this article. Although this may sound easy, don't be fooled—70-296 is complex and requires you show expertise with all that's new in Windows Server 2003, including changes to DNS, group policies, trusts and permissions, IPSec and VPNs, Active Directory maintenance and recovery, and Certificate Services.

In this review, I walk you through each set of objectives from the exam preparation guide located at http://www.microsoft.com/traincert/exams/70-296.asp. My intent is to share some major areas of study that you should master before tackling the test.

Note: Although Microsoft has brought back full score reporting for most other new exams it currently offers, this test only gives you a pass or fail response.

Server Roles and Security
The first set of objectives in Microsoft's exam guidelines, "Planning and Implementing Server Roles and Server Security," has to do with network server security configuration, monitoring and troubleshooting. Most of these objectives look at setting up security and user access via Group Policy Objects (GPOs).

Software Restriction Policies available with Group Policies in Windows Server 2003 allow administrators to control the use and execution of untrusted software in the domain and on local computers. There are many rule types that can be used to define restricted and unrestricted software. You can create a typical hash rule for a virus or Trojan, to prevent them from running. This hash rule can be distributed by e-mail, minus the virus or Trojan, of course.

Tip: After creating a software restriction policy using a hash rule, the user must log out and back in for the policy to take effect.

Also read:

70-292: An Administrator's View of Windows Server 2003


You should already be familiar with security templates if you're an MCSE on Windows 2000. What may be unfamiliar is RSoP and new Group Policy Object settings available in Windows 2003.

Resultant Set of Policies is an add-on to GPOs that enhances the implementation and troubleshooting process. RSoP uses queries to poll existing and planned GPOs, producing reports with the results. They'll tell you, if I make this change to that set of policies, what will the effect be? These polls can be used with existing GPOs based on site, domain, DC and OU. For more information on how to install and use RSoP, check out the articles on the Windows Server 2003 Community page (click here).

Tip: Security template settings can be reapplied using the Security Configuration and Analysis snap-in or from the command line using Gpupdate.

Table 1. The Path to an MCSE on Windows Server 2003
For MCSEs on
NT 4.0/Windows 2000
Upgrade Path for MCSAs/MCSEs on
Windows 2000
Core Exams: Networking System (4 required)
Core Exams
(2 required)
70-290: Managing and Maintaining Windows Server 2003 70-292: Managing and Maintaining Windows Server 2003 for an MCSA on Windows 2000
70-291: Implementing, Managing, and Maintaining a Windows Server 2003 Network Infrastructure
70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure 70-296: Planning, Implementing, and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000
70-294: Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure
Core Exams: Client Operating System
(1 Required)
No other exams required.
70-210: Installing, Configuring, and Administering Windows 2000 Professional
70-270: Installing, Configuring, and Administering Windows XP Professional
Core Exams: Design
(1 Required)
70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure
70-298: Designing Security for a Windows Server 2003 Network
Elective Exams
(1 Required)
70-086: Implementing and Supporting Systems Management Server 2.0
70-227: Installing, Configuring, and Administering Internet Security and Acceleration Server 2000, Enterprise
70-228: Installing, Configuring, and Administering SQL Server 2000 Enterprise
70-229: Designing and Implementing Databases with SQL Server 2000 Enterprise Edition
70-232: Implementing and Maintaining Highly Available Web Solutions with Windows 2000 Server Technologies and Application Center 2000
70-284: Implementing and Managing Exchange Server 2003
70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure
70-298: Designing Security for a Windows Server 2003 Network
70-299: Implementing and Administering Security in a Windows Server 2003 Network

The Network Infrastructure
"Planning, Implementing, and Maintaining a Network Infrastructure" the next objective, focuses on host name resolution. Must-know topics include DNS design, configuration, replication, security, and interoperability. When it comes to DNS design, be sure you understand the methods of configuring and securing implementations for external and internal namespace. TechNet has a comprehensive overview (click here to read it). You should also know when to use Active Directory-integrated zones and secure dynamic updates.

Tip: When using DNS secure dynamic update, only the computers and users specified in an access control list can modify objects within a zone.

Most problems associated with AD can be attributed to incorrect DNS configuration. It's no wonder Windows 2003 certification exams focus so heavily on it. Configuration issues can range from improper use of root zones, to replication, to security. Typically the internal namespace is a sub-domain of the external namespace. External and internal DNS namespace should be separate in most cases and exposure of Active Directory minimized.

Only the authoritative DNS server, which should be secured in the private network behind the internal firewall, should allow zone transfers using IPSec to external or DMZ-based servers. All other internal DNS servers should have their root hints and cache.dns files deleted. When zone forwarding and root hints are configured correctly, internal clients should only need to communicate with internal servers.

Tip: External and internal DNS zones should be hosted on separate servers.

70-296: Upgrade for MCSEs

Reviewer's Rating
"This exam encompasses a lot of topics you should be familiar with from your MCSE on Windows 2000 days, yet with twists to address how they've changed in Windows Server 2003."

Exam Title
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000

Live as of August 28, 2003

Who Should Take It
Windows 2000 MCSEs wishing to upgrade to their skills to Windows 2003.

Preparation Guide

Server Availability
"Planning, Implementing, and Maintaining Server Availability" mandates that you have a strong knowledge of clustering, network load balancing (NLB), backup types, and two new Windows 2003 features, volume shadow copy service (VSS) and automated system recovery (ASR).

Regarding clustering, for example, could you identify which Windows Server 2003 product meets the minimum requirements for clustering Web and data servers? If you've been around for any length of time, you may remember similar "product feature" type questions from the Windows NT 4.0 exams. However, new questions are worded in such a way as to prevent rogue memorization, and they focus more on meeting a requirement than simply recommending a solution. The first thing you need to know here: Both Windows Server 2003 Enterprise and Data Center editions each support eight-node clusters. If you're not completely comfortable with clustering services, check out the TechNet articles on the topic by clicking here. At a minimum, review all the Clustering "best practices" documents for backup, VSS and ASR support.

Tip: When configuring a Majority node set server cluster, in which each node contains its own copy of the cluster configuration data, if more than half the cluster nodes fail at any one time, the cluster itself fails.

With NLB, many incoming requests can be spread across multiple servers. This allows these servers and network services to be highly available and responsive to clients.

NLB detects when a server stops responding and quickly moves client traffic to remaining servers. This is the perfect scenario for creating redundant Web, multimedia, VPN and proxy servers. Don't forget to use the new NLB Manager for the hands-on experience—because you never know when you need to prove you know this stuff by selecting the correct checkbox or button on a simulated screen or two!

Tip: Clustering and NLB can't be configured on the same server at the same time.

Likewise, be proficient in backup types: full, incremental, differential and Automated System Recovery (ASR). You can read more by clicking here. Also, be sure to try out ASR, including the recovery procedure, on a test server.

Volume Shadow Copy Service (VSS) is a new feature that allows administrators to create a point-in-time copy of user files that the user can access and restore when previous versions are needed. These snapshots can save both IT staff and users a whole lot of time usually spent waiting for manual restore operations of accidentally deleted files from tape. As the server administrator you can schedule the copy time—for instance, twice a day at 0700 and 1200 hours, five days a week. If the amount of user data is great and changes often, you can even store this data on alternate server volumes!

If you have hosts other than Windows Server 2003, such as XP, Windows 2000 with SP3 or Windows 98, you'll need to install the shadow copy volume component to enable the use of previous file access and restore. This is available on the XP product CD (%Windir%\System32\Clients\Twclient\X86) or it can be downloaded here. Once configured per volume, users will find the Previous Versions tab in the properties selection for files and folders on a network shares. Users can then select View, Copy or Restore. They'll be presented with a list of read-only file and folder copies they can access. For more information read the white paper, "Introduction to Shadow Copies of Shared Folders" (click here).

Network Security
Nobody can design and maintain a Windows network without knowing a lot about security. For this exam you should know how to set up and configure remote assistance, remote administration and wireless networks, and you should know how to secure data traffic. These fall under the topic, "Planning and Maintaining Network Security."

IPSec policies should be used to secure VPNs, server-to-server, client-to-server, DNS zone transfer and Web-server-to-database-server communications. In Windows 2003, a group of computers can be configured to use IPSec when either Kerberos or certificates are used. When Kerberos authentication or certificates aren't an option or aren't supported—usually in smaller deployments—a preshared key can be configured between IPSec peers. The problem is the preshared key is stored in clear-text in the client's Registry.

Unlike most Group Policy Object settings, which are cumulative, only one IPSec policy can be assigned to a computer at a time. So if there are multiple IPSec policies assigned at different levels, the last one applied is the one that takes effect.

Tip: Windows versions prior to 2000 don't natively support IPSec.

Chapter 6, "Deploying IPSec," of the Windows Server 2003 Deployment Kit: Deploying Network Services (click here to read it) is the best resource available for explaining IPSec.

You should also review chapter 11, "Deploying a Wireless LAN," which can help you understand wireless networks as they pertain to Windows 2003.

Tip: Don't confuse remote assistance and Remote Desktop for Administration. Remote assistance allows a user to invite someone to connect, observe and remotely control his or her system. Remote Desktop for Administration supports connections to Windows 2003 servers for the purpose of remote administration.

The 802.1x wireless protocols enhance security by providing support for centralized user identification, authentication, dynamic key management and accounting. In cases where clients roam between access points on the same network, IPSec can be used in combination with 802.11 and 802.1x. Windows XP provides 802.1x support and additional wireless support, including automatic wireless configuration. Certificate auto-enrollment allows wireless clients to request and install certificates for authentication.

Tip: To achieve the highest level of security for wireless LANs, you need 802.1x with EAP TLS authentication, PKI, and a RADIUS server.

A Security Infrastructure
Under the general heading of "Planning, Implementing, and Maintaining Security Infrastructure," you'll find such topics as PKI, certificates, smart cards and security monitoring.

Unless you have years of experience as a security infrastructure engineer, I'd suggest you review chapter 16, "Designing a Public Key Infrastructure," in the Deployment Kit (click here to read it).

Tip: To support automated certificate approval and automatic user certificate enrollment, use enterprise CAs to issue certificates.

Topics you should immerse yourself in include these: the use of the command-line utility Certutil to back up certificates and private keys; making sure to back up system state data when using Windows backup (which allows you to back up the certificate services database); and the use of certificate templates (to define the intended use and allow users to select the type of certificate requested such as EFS, User, email, and smart card).

Security monitoring can include many tasks, such as review of event viewer security logs to IPSec monitoring with network analyzers. Make sure you know the general processes for these tasks, if not the specific steps.

Tip: The Read, Enroll and Autoenroll permissions are required for users to obtain certificates via autoenrollment.

The Active Directory Infrastructure
An exam like this one isn't likely to bypass directory services topics. "Planning and Implementing an Active Directory Infrastructure" and "Managing and Maintaining an Active Directory Infrastructure" encompass such topics as these: proper placement of global catalogs, universal group caching, creating forest root and child domain, creating and managing trusts, and performing authoritative and non-authoritative restores. Again, the best online resource is the Windows Server 2003 Deployment Kit. Chapters 1 through 6 in the "Designing and Deploying Directory and Security Services" section are mandatory!

Windows 2000 forests and domains are readied for Windows 2003 DCs with the new utility ADprep.exe. ADprep helps make sure that a Windows 2000 forest and domain contain the additional objects, attributes and permissions to support the Windows 2003 AD environment. ADprep offers the following command-line options:

adprep /forestprep: runs forest upgrade (must be completed first)
adprep /domainprep: runs domain upgrade

Tip: DCpromo is used to promote a server to the domain controller role for a domain.

Domain functional levels are an extension of the mixed/native mode concept introduced in Windows 2000. Using the AD domains and trusts snap-in, you can scan, view and change the domain functional levels.

Domain functional levels are as follows: Windows 2000 mixed (default, with all DC types supported—NT 4.0, Win2K and Windows 2003), Windows 2000 native (Win2K and Windows 2003 DCs only), Windows 2003 interim (a special mode used during an NT 4.0 to Windows 2003 upgrade) and Windows 2003 (Windows 2003 DCs only). In this last mode, the new utilities for domain controller and domain rename are available and support for cross forest trusts exists! You can download the domain rename tools by clicking here.

Tip: Running Active Directory on Windows Server 2003 Web Edition isn't supported, but these servers can belong to a domain.

Global Catalog servers serve many purposes for Active Directory. However, sometimes GC replication isn't practical or reliably supported. In this case, any Windows 2003 domain controller can be configured for Universal Group caching. This is often a better deployment solution for remote sites connected by slow WAN links.

Forest trusts support the following options: complete two-way trusts between each domain in the forest and use of UPN authentication across two forests.

Tip: To support network-wide login when authenticating users from another forest, add the UPN suffix using the domains and trusts snap-in.

Knowing when to perform an Active Directory authoritative and non-authoritative restore should be familiar ground for Windows 2000 MCSEs. An authoritative restore allows you to recover deleted AD objects to a DC before the next replication takes place. This allows the restored objects to be replicated over any previously modified objects as the latest change to all other DCs. When choosing a non-authoritative restore operation, the restored AD objects on the DC may be overwritten by other DCs during the next replication cycle.

Tip: To perform an AD restore, choose the Active Directory Services Restore Mode upon startup.

User Authentication
The topic of "Planning and Implementing User, Computer, and Group Strategies" requires that you spend some time learning about smart card authentication and password policies. Knowing these topics will go a long way in the real world.

Smart card authentication is a wonderful thing when it works! Troubleshooting logon problems with Active Directory and smart cards can be a daunting task. For instance, if the CA is unavailable, the correct certificate template hasn't been created or the domain administrator hasn't issued the correct permissions, users will experience difficulty with smart card logons. Many daily problems can be attributed to permissions.

Tip: If a password is changed on one computer, but the user is logged on to another computer with the old password, the computer with the old password continuously attempts to authenticate the user by using the old password, and it eventually locks out the user account.

10 Things To Practice


  1. Create and use trust relationships. All you need are two or more domain controllers to create a forest trust. Understanding how users access resources and how UPNs can simplify authentication to those resources is must-have knowledge.
  2. Configure and experiment with Remote Desktop. This topic has proven to be important on many of the Windows 2003 exams. Understand its use and permissions granted when configuring your lab.
  3. Gpupdate usage and troubleshooting. Gpupdate is the new tool for use in Windows Server 2003, and it's a great replacement for the many other tools it left behind. Become familiar with all that it has to offer and use it often.
  4. SUS and patch deployment. Although not a major topic of this exam, Software Update Services is an essential topic for Windows 2003 MCSEs. Download SUS and configure it on your network even if you plan to use other patch management solutions.
  5. Troubleshoot Active Directory. There's not enough information printed to help you master troubleshooting, so try anything you can think of in your lab to get experience. Be sure to understand why problems occur and work out the shortest path to resolution.
  6. Active Directory restore and maintenance. Use Windows backup to restore AD in both an authoritative and non-authoritative mode. Watch as restored data becomes the replicated data available on the network.
  7. Work with group policies. In the doing comes the understanding, as I always say. Create scenarios for users, family members or politicians you'd like to control on your network and practice designing, deploying, managing and troubleshooting their objects.
  8. Work with Certificate Services. Design, plan, deploy and manage certificate services. Don't forget to create and allow users to request specific templates, such as those for EFS and smart card logon support.
  9. Install, configure, and create server clusters. With a copy of VMWare and the switch localquorum, you can practice even with limited hardware resources.
  10. Install, configure and manage all DNS zone types. You need to practice designing, creating, managing and maintaining DNS. Create DNS zones and understand how each is used and learn to troubleshoot problems!

Group Policy
Group Policy Objects are the final two topics in the exam objective guide, under the headings, "Planning, Implementing, Managing, and Maintaining Group Policies" and "Managing and Maintaining Group Policy." The focus here encompasses creating user and computer GPOs for distributing software, automatically enrolling user certificates and troubleshooting GPOs.

Group Policy should be familiar territory for Windows 2000 MCSEs. Most Active Directory deployments in the past three years can be attributed to the need for greater network control. You can find a plethora of Group Policy information online and in print. Start slogging through it.

There are many resources available to bring you up to speed with Group Policies. I suggest you pick up a book on the topic. Some have been out for a few years and still withstand the test of time. Others will be released by the time this test surfaces.

I also suggest you read the Group Policy Management Console white paper, "Administering Group Policy with the GPMC" (click here).

Tip: Download the GPMC add-on by clicking here.

Also, I recommend you deploy a few GPOs on your lab network if they're not something you work with every day. Windows 2003 offers many new settings and options. Some are more useful than others.

For reference, read "The Windows Server 2003 Deployment Kit: Designing a Managed Environment" (click here).

Tip: The Configure Automatic Updates policy of Group Policy, option 4, "Auto Download and Schedule the Install," allows clients to operate in a fully-automated mode and ensure the latest updates have been applied.

Additional Information

You'll find study resources for Exam 70-296 within the Windows Server 2003 help and documentation. To get your free 180-day evaluation copy, click here.

You can also find a lot of information online at the Windows Server Community page (click here).

If you plan to attend instructor-led training to hone your Windows 2003 skills, check out course 2210: Updating Systems Engineer Skills from Microsoft Windows 2000 to Windows Server 2003, at Microsoft CTECs worldwide. Click here to review the course syllabus.

Several publishers are coming out with titles to help you with self study. These include the following books:

Finally, I offer more tips on these exams in the chats I host at MCPmag.com. Be sure to read the transcripts for chats that have already taken place. You can find them by clicking here and here.
—Andy Barkl

Follow the Upgrade Path
Certification should never be an end to itself. It's simply a way to prove you've covered the bases in your studies of a new technology. In the case of Windows Server 2003, this exam cuts a wide swath, just as your job as a systems engineer probably does. From planning server roles through setting up security to understanding Active Directory and group policies, you have a lot to learn when it comes to Microsoft's latest network operating system. If you're already an MCSE on Windows 2000, you have a headstart. Take advantage of your competitive edge to learn what's new and tackle these upgrade exams while they're still cutting edge. Good luck!


comments powered by Disqus

Subscribe on YouTube