70-296: The Systems Engineer Challenge
This MCSE upgrade exam will test your Windows 2003 expertise, especially in the areas of DNS, group policies, trusts and Active Directory maintenance.
If you're working with Windows Server 2003 and you're already an MCSE
on Windows 2000, Microsoft wants to ease your transition to its newest
platform in its certification requirements. You can become an MCSE simply
by passing two exams, 70-292, which I review here
and 70-296, which I review in this article. Although this may sound easy,
don't be fooled—70-296 is complex and requires you show expertise
with all that's new in Windows Server 2003, including changes to DNS,
group policies, trusts and permissions, IPSec and VPNs, Active Directory
maintenance and recovery, and Certificate Services.
In this review, I walk you through each set of objectives from the exam
preparation guide located at http://www.microsoft.com/traincert/exams/70-296.asp.
My intent is to share some major areas of study that you should master
before tackling the test.
Note: Although Microsoft has brought back
full score reporting for most other new exams it currently offers, this
test only gives you a pass or fail response.
Server Roles and Security
The first set of objectives in Microsoft's exam guidelines, "Planning
and Implementing Server Roles and Server Security," has to do with
network server security configuration, monitoring and troubleshooting.
Most of these objectives look at setting up security and user access via
Group Policy Objects (GPOs).
Software Restriction Policies available with Group Policies in Windows
Server 2003 allow administrators to control the use and execution of untrusted
software in the domain and on local computers. There are many rule types
that can be used to define restricted and unrestricted software. You can
create a typical hash rule for a virus or Trojan, to prevent them from
running. This hash rule can be distributed by e-mail, minus the virus
or Trojan, of course.
Tip: After creating a software restriction policy using
a hash rule, the user must log out and back in for the policy to take
You should already be familiar with security templates if you're an MCSE
on Windows 2000. What may be unfamiliar is RSoP and new Group Policy Object
settings available in Windows 2003.
Resultant Set of Policies is an add-on to GPOs that enhances the implementation
and troubleshooting process. RSoP uses queries to poll existing and planned
GPOs, producing reports with the results. They'll tell you, if I make
this change to that set of policies, what will the effect be? These polls
can be used with existing GPOs based on site, domain, DC and OU. For more
information on how to install and use RSoP, check out the articles on
the Windows Server 2003 Community page (click
Tip: Security template settings can be reapplied using
the Security Configuration and Analysis snap-in or from the command line
|Table 1. The Path
to an MCSE on Windows Server 2003
NT 4.0/Windows 2000
Path for MCSAs/MCSEs on
Core Exams: Networking System (4 required)
|70-290: Managing and Maintaining
Windows Server 2003
||70-292: Managing and Maintaining
Windows Server 2003 for an MCSA on Windows 2000
|70-291: Implementing, Managing,
and Maintaining a Windows Server 2003 Network Infrastructure
|70-293: Planning and Maintaining
a Windows Server 2003 Network Infrastructure
||70-296: Planning, Implementing,
and Maintaining a Windows Server 2003 Environment for
an MCSE Certified on Windows 2000
|70-294: Planning, Implementing,
and Maintaining a Windows Server 2003 Active Directory
Core Exams: Client Operating System
No other exams required.
Configuring, and Administering Windows 2000 Professional
Configuring, and Administering Windows XP Professional
Core Exams: Design
Designing a Windows Server 2003 Active Directory and Network
Security for a Windows Server 2003 Network
and Supporting Systems Management Server 2.0
Configuring, and Administering Internet Security and Acceleration
Server 2000, Enterprise
Configuring, and Administering SQL Server 2000 Enterprise
and Implementing Databases with SQL Server 2000 Enterprise
and Maintaining Highly Available Web Solutions with Windows
2000 Server Technologies and Application Center 2000
and Managing Exchange Server 2003
a Windows Server 2003 Active Directory and Network Infrastructure
Security for a Windows Server 2003 Network
and Administering Security in a Windows Server 2003 Network
The Network Infrastructure
"Planning, Implementing, and Maintaining a Network Infrastructure"
the next objective, focuses on host name resolution. Must-know topics
include DNS design, configuration, replication, security, and interoperability.
When it comes to DNS design, be sure you understand the methods of configuring
and securing implementations for external and internal namespace. TechNet
has a comprehensive overview (click
here to read it). You should also know when to use Active
Directory-integrated zones and secure dynamic updates.
Tip: When using DNS secure dynamic update, only the computers
and users specified in an access control list can modify objects within
Most problems associated with AD can be attributed to incorrect DNS configuration.
It's no wonder Windows 2003 certification exams focus so heavily on it.
Configuration issues can range from improper use of root zones, to replication,
to security. Typically the internal namespace is a sub-domain of the external
namespace. External and internal DNS namespace should be separate in most
cases and exposure of Active Directory minimized.
Only the authoritative DNS server, which should be secured in the private
network behind the internal firewall, should allow zone transfers using
IPSec to external or DMZ-based servers. All other internal DNS servers
should have their root hints and cache.dns files deleted. When zone forwarding
and root hints are configured correctly, internal clients should only
need to communicate with internal servers.
Tip: External and internal DNS zones should be hosted on
Upgrade for MCSEs
"This exam encompasses a lot of topics you
should be familiar with from your MCSE on Windows 2000
days, yet with twists to address how they've changed
in Windows Server 2003."
Planning, Implementing, and Maintaining a Microsoft
Windows Server 2003 Environment for an MCSE Certified
on Windows 2000
Live as of August 28, 2003
Who Should Take It
Windows 2000 MCSEs wishing to upgrade to their skills
to Windows 2003.
"Planning, Implementing, and Maintaining Server Availability"
mandates that you have a strong knowledge of clustering, network load
balancing (NLB), backup types, and two new Windows 2003 features, volume
shadow copy service (VSS) and automated system recovery (ASR).
Regarding clustering, for example, could you identify which Windows Server
2003 product meets the minimum requirements for clustering Web and data
servers? If you've been around for any length of time, you may remember
similar "product feature" type questions from the Windows NT
4.0 exams. However, new questions are worded in such a way as to prevent
rogue memorization, and they focus more on meeting a requirement than
simply recommending a solution. The first thing you need to know here:
Both Windows Server 2003 Enterprise and Data Center editions each support
eight-node clusters. If you're not completely comfortable with clustering
services, check out the TechNet articles on the topic by clicking
here. At a minimum, review all the Clustering "best practices"
documents for backup, VSS and ASR support.
Tip: When configuring a Majority node set server cluster,
in which each node contains its own copy of the cluster configuration
data, if more than half the cluster nodes fail at any one time, the cluster
With NLB, many incoming requests can be spread across multiple servers.
This allows these servers and network services to be highly available
and responsive to clients.
NLB detects when a server stops responding and quickly moves client traffic
to remaining servers. This is the perfect scenario for creating redundant
Web, multimedia, VPN and proxy servers. Don't forget to use the new NLB
Manager for the hands-on experience—because you never know when you
need to prove you know this stuff by selecting the correct checkbox or
button on a simulated screen or two!
Tip: Clustering and NLB can't be configured on the same
server at the same time.
Likewise, be proficient in backup types: full, incremental, differential
and Automated System Recovery (ASR). You can read more by clicking
here. Also, be sure to try out ASR, including the recovery
procedure, on a test server.
Volume Shadow Copy Service (VSS) is a new feature that allows administrators
to create a point-in-time copy of user files that the user can access
and restore when previous versions are needed. These snapshots can save
both IT staff and users a whole lot of time usually spent waiting for
manual restore operations of accidentally deleted files from tape. As
the server administrator you can schedule the copy time—for instance,
twice a day at 0700 and 1200 hours, five days a week. If the amount of
user data is great and changes often, you can even store this data on
alternate server volumes!
If you have hosts other than Windows Server 2003, such as XP, Windows
2000 with SP3 or Windows 98, you'll need to install the shadow copy volume
component to enable the use of previous file access and restore. This
is available on the XP product CD (%Windir%\System32\Clients\Twclient\X86)
or it can be downloaded
here. Once configured per volume, users will find the Previous
Versions tab in the properties selection for files and folders on a network
shares. Users can then select View, Copy or Restore. They'll be presented
with a list of read-only file and folder copies they can access. For more
information read the white paper, "Introduction to Shadow Copies
of Shared Folders" (click
Nobody can design and maintain a Windows network without knowing a lot
about security. For this exam you should know how to set up and configure
remote assistance, remote administration and wireless networks, and you
should know how to secure data traffic. These fall under the topic, "Planning
and Maintaining Network Security."
IPSec policies should be used to secure VPNs, server-to-server, client-to-server,
DNS zone transfer and Web-server-to-database-server communications. In
Windows 2003, a group of computers can be configured to use IPSec when
either Kerberos or certificates are used. When Kerberos authentication
or certificates aren't an option or aren't supported—usually in smaller
deployments—a preshared key can be configured between IPSec peers.
The problem is the preshared key is stored in clear-text in the client's
Unlike most Group Policy Object settings, which are cumulative, only
one IPSec policy can be assigned to a computer at a time. So if there
are multiple IPSec policies assigned at different levels, the last one
applied is the one that takes effect.
Tip: Windows versions prior to 2000 don't natively support
Chapter 6, "Deploying IPSec," of the Windows Server 2003 Deployment
Kit: Deploying Network Services (click
here to read it) is the best resource available for explaining
You should also review chapter 11, "Deploying a Wireless LAN,"
which can help you understand wireless networks as they pertain to Windows
Tip: Don't confuse remote assistance and Remote Desktop
for Administration. Remote assistance allows a user to invite someone
to connect, observe and remotely control his or her system. Remote Desktop
for Administration supports connections to Windows 2003 servers for the
purpose of remote administration.
The 802.1x wireless protocols enhance security by providing support for
centralized user identification, authentication, dynamic key management
and accounting. In cases where clients roam between access points on the
same network, IPSec can be used in combination with 802.11 and 802.1x.
Windows XP provides 802.1x support and additional wireless support, including
automatic wireless configuration. Certificate auto-enrollment allows wireless
clients to request and install certificates for authentication.
Tip: To achieve the highest level of security for wireless
LANs, you need 802.1x with EAP TLS authentication, PKI, and a RADIUS server.
A Security Infrastructure
Under the general heading of "Planning, Implementing, and Maintaining
Security Infrastructure," you'll find such topics as PKI, certificates,
smart cards and security monitoring.
Unless you have years of experience as a security infrastructure engineer,
I'd suggest you review chapter 16, "Designing a Public Key Infrastructure,"
in the Deployment Kit (click
here to read it).
Tip: To support automated certificate approval and automatic
user certificate enrollment, use enterprise CAs to issue certificates.
Topics you should immerse yourself in include these: the use of the command-line
utility Certutil to back up certificates and private keys; making sure
to back up system state data when using Windows backup (which allows you
to back up the certificate services database); and the use of certificate
templates (to define the intended use and allow users to select the type
of certificate requested such as EFS, User, email, and smart card).
Security monitoring can include many tasks, such as review of event viewer
security logs to IPSec monitoring with network analyzers. Make sure you
know the general processes for these tasks, if not the specific steps.
Tip: The Read, Enroll and Autoenroll permissions are required
for users to obtain certificates via autoenrollment.
The Active Directory Infrastructure
An exam like this one isn't likely to bypass directory services topics.
"Planning and Implementing an Active Directory Infrastructure"
and "Managing and Maintaining an Active Directory Infrastructure"
encompass such topics as these: proper placement of global catalogs, universal
group caching, creating forest root and child domain, creating and managing
trusts, and performing authoritative and non-authoritative restores. Again,
the best online resource is the Windows Server 2003 Deployment Kit. Chapters
1 through 6 in the "Designing and Deploying Directory and Security
Services" section are mandatory!
Windows 2000 forests and domains are readied for Windows 2003 DCs with
the new utility ADprep.exe. ADprep helps make sure that a Windows 2000
forest and domain contain the additional objects, attributes and permissions
to support the Windows 2003 AD environment. ADprep offers the following
adprep /forestprep: runs forest upgrade (must
be completed first)
adprep /domainprep: runs domain upgrade
Tip: DCpromo is used to promote a server to the domain
controller role for a domain.
Domain functional levels are an extension of the mixed/native mode concept
introduced in Windows 2000. Using the AD domains and trusts snap-in, you
can scan, view and change the domain functional levels.
Domain functional levels are as follows: Windows 2000 mixed (default,
with all DC types supported—NT 4.0, Win2K and Windows 2003), Windows
2000 native (Win2K and Windows 2003 DCs only), Windows 2003 interim (a
special mode used during an NT 4.0 to Windows 2003 upgrade) and Windows
2003 (Windows 2003 DCs only). In this last mode, the new utilities for
domain controller and domain rename are available and support for cross
forest trusts exists! You can download the domain rename tools by clicking
Tip: Running Active Directory on Windows Server 2003 Web
Edition isn't supported, but these servers can belong to a domain.
Global Catalog servers serve many purposes for Active Directory. However,
sometimes GC replication isn't practical or reliably supported. In this
case, any Windows 2003 domain controller can be configured for Universal
Group caching. This is often a better deployment solution for remote sites
connected by slow WAN links.
Forest trusts support the following options: complete two-way trusts
between each domain in the forest and use of UPN authentication across
Tip: To support network-wide login when authenticating
users from another forest, add the UPN suffix using the domains and trusts
Knowing when to perform an Active Directory authoritative and non-authoritative
restore should be familiar ground for Windows 2000 MCSEs. An authoritative
restore allows you to recover deleted AD objects to a DC before the next
replication takes place. This allows the restored objects to be replicated
over any previously modified objects as the latest change to all other
DCs. When choosing a non-authoritative restore operation, the restored
AD objects on the DC may be overwritten by other DCs during the next replication
Tip: To perform an AD restore, choose the Active Directory
Services Restore Mode upon startup.
The topic of "Planning and Implementing User, Computer, and Group
Strategies" requires that you spend some time learning about smart
card authentication and password policies. Knowing these topics will go
a long way in the real world.
Smart card authentication is a wonderful thing when it works! Troubleshooting
logon problems with Active Directory and smart cards can be a daunting
task. For instance, if the CA is unavailable, the correct certificate
template hasn't been created or the domain administrator hasn't issued
the correct permissions, users will experience difficulty with smart card
logons. Many daily problems can be attributed to permissions.
Tip: If a password is changed on one computer, but the
user is logged on to another computer with the old password, the computer
with the old password continuously attempts to authenticate the user by
using the old password, and it eventually locks out the user account.
Things To Practice
- Create and use trust relationships. All you need
are two or more domain controllers to create a forest
trust. Understanding how users access resources and
how UPNs can simplify authentication to those resources
is must-have knowledge.
- Configure and experiment with Remote Desktop. This
topic has proven to be important on many of the Windows
2003 exams. Understand its use and permissions granted
when configuring your lab.
- Gpupdate usage and troubleshooting. Gpupdate is
the new tool for use in Windows Server 2003, and it's
a great replacement for the many other tools it left
behind. Become familiar with all that it has to offer
and use it often.
- SUS and patch deployment. Although not a major
topic of this exam, Software Update Services is an
essential topic for Windows 2003 MCSEs. Download SUS
and configure it on your network even if you plan
to use other patch management solutions.
- Troubleshoot Active Directory. There's not enough
information printed to help you master troubleshooting,
so try anything you can think of in your lab to get
experience. Be sure to understand why problems occur
and work out the shortest path to resolution.
- Active Directory restore and maintenance. Use Windows
backup to restore AD in both an authoritative and
non-authoritative mode. Watch as restored data becomes
the replicated data available on the network.
- Work with group policies. In the doing comes the
understanding, as I always say. Create scenarios for
users, family members or politicians you'd like to
control on your network and practice designing, deploying,
managing and troubleshooting their objects.
- Work with Certificate Services. Design, plan, deploy
and manage certificate services. Don't forget to create
and allow users to request specific templates, such
as those for EFS and smart card logon support.
- Install, configure, and create server clusters.
With a copy of VMWare and the switch localquorum,
you can practice even with limited hardware resources.
- Install, configure and manage all DNS zone types.
You need to practice designing, creating, managing
and maintaining DNS. Create DNS zones and understand
how each is used and learn to troubleshoot problems!
Group Policy Objects are the final two topics in the exam objective guide,
under the headings, "Planning, Implementing, Managing, and Maintaining
Group Policies" and "Managing and Maintaining Group Policy."
The focus here encompasses creating user and computer GPOs for distributing
software, automatically enrolling user certificates and troubleshooting
Group Policy should be familiar territory for Windows 2000 MCSEs. Most
Active Directory deployments in the past three years can be attributed
to the need for greater network control. You can find a plethora of Group
Policy information online and in print. Start slogging through it.
There are many resources available to bring you up to speed with Group
Policies. I suggest you pick up a book on the topic. Some have been out
for a few years and still withstand the test of time. Others will be released
by the time this test surfaces.
I also suggest you read the Group Policy Management Console white paper,
"Administering Group Policy with the GPMC" (click
Tip: Download the GPMC add-on by clicking
Also, I recommend you deploy a few GPOs on your lab network if they're
not something you work with every day. Windows 2003 offers many new settings
and options. Some are more useful than others.
For reference, read "The Windows Server 2003 Deployment Kit: Designing
a Managed Environment" (click
Tip: The Configure Automatic Updates policy of Group Policy,
option 4, "Auto Download and Schedule the Install," allows clients
to operate in a fully-automated mode and ensure the latest updates have
You'll find study resources for Exam 70-296 within
the Windows Server 2003 help and documentation. To get
your free 180-day evaluation copy, click
You can also find a lot of information online at the
Windows Server Community page (click
If you plan to attend instructor-led training to hone
your Windows 2003 skills, check out course 2210: Updating
Systems Engineer Skills from Microsoft Windows 2000
to Windows Server 2003, at Microsoft CTECs worldwide.
here to review the course syllabus.
Several publishers are coming out with titles to help
you with self study. These include the following books:
- Microsoft Press has published one self-study title
that covers two upgrade exams, MCSA/MCSE
Self-Paced Training Kit (Exams 70-292 and 70-296):
Upgrading Your Certification to Microsoft Windows
Windows 2003 Upgrade Study Guide (70-292 and 70-296)
from Sybex, ISBN 0-7821-4267-2, $59.99.
Planning, Implementing, and Maintaining a Microsoft
Windows Server 2003 Environment Exam Cram 2 (Exam
Cram 70-296) from Que Publishing, ISBN
Exam 70-296 Study Guide and DVD Training System: Planning,
Implementing and Maintaining a Windows Server 2003
Environment for an MCSE Certified on Windows 2000
from Syngress Publishing, ISBN 1-9322-6657-7, $59.95.
2003 Certification Upgrade Kit: Exams 70-292 and 70-296,
Syngress Publishing, ISBN 1-9322-6661-5, $99.95.
Windows Server 2003 for an MCSE/MCSA Certified on
Windows 2000 Study Guide (Exams 70-292 & 70-296),
Osborne, ISBN 0-0722-3058-4, $49.99. Available: March
Finally, I offer more tips on these exams in the chats
I host at MCPmag.com.
Be sure to read the transcripts for chats that have
already taken place. You can find them by clicking
here and here.
Follow the Upgrade Path
Certification should never be an end to itself. It's simply a way to prove
you've covered the bases in your studies of a new technology. In the case
of Windows Server 2003, this exam cuts a wide swath, just as your job
as a systems engineer probably does. From planning server roles through
setting up security to understanding Active Directory and group policies,
you have a lot to learn when it comes to Microsoft's latest network operating
system. If you're already an MCSE on Windows 2000, you have a headstart.
Take advantage of your competitive edge to learn what's new and tackle
these upgrade exams while they're still cutting edge. Good luck!