|
|
|
||
| |||
|
70-218 - Managing a Microsoft Windows 2000 Network Environment Abstract: This Guide has
been created to aid you in the basics of preparing for the new MCSA
title from Microsoft. As with all study guides, never use one guide as
your sole source of study. Preparation
Tools: In
addition to your hands-on experience working with the product, you may
want to use the following tools and training to help you prepare for this
exam: Step-by-Step Guide to Preparing for a Microsoft Certified Professional ExamThe
Step-by-Step Guide describes a concise, six-step approach to preparing for
an MCP exam, and is also a compendium of MCP exam-preparation resources. Microsoft Official CurriculumThe
Microsoft Official Curriculum (MOC) consists of courses designed by
Microsoft product groups that support the certification exam process. You
can choose from instructor-led classroom training, self-paced training
kits, and online training. Microsoft PressVisit
Microsoft Press, your online bookstore, for books and CD-ROMs to help you
get the most out of Microsoft products. Microsoft Press offers a full line
of study materials for MCP exams. Practice TestsPractice
tests offered by Microsoft Approved Practice Test Providers enable you to
assess and receive feedback on your level of knowledge and exam-readiness
prior to taking a certification exam. Although your score on a practice
test doesn't necessarily indicate what your score will be on a
certification exam, a practice test gives you the opportunity to answer
questions that are similar to those on the certification exam and can help
you identify your areas of greatest strength and weakness. Audience
Profile: Candidates
for this exam work in medium to very large computing environments that use
Microsoft Windows 2000 network and directory services. Candidates have at
least six months of experience administering and supporting Windows 2000
server and client operating systems that use Active Directory services in
environments that have the following characteristics. q
From
200 to 26,000 users are supported. q
From
two to 100 physical locations are included. q
Typical
network services and resources include messaging, file and print, proxy
server or firewall, Internet and intranet, remote access, and client
computer management. q
Connectivity
needs include connecting branch offices and individual users at remote
locations to the corporate network and connecting corporate networks to
the Internet. Active
Directory Links o
How
to Deploy Active Directory o
Best
Practice Active Directory Deployment for Managing Windows Networks o
Guide
to Active Directory Design o
Active
Directory Architecture o
Building
the Active Directory Tree o
Extending
Active Directory Schema and Preparing Forest for Exchange Deployment o
Active
Directory Diagnostics, Troubleshooting and Recovery o
Best
Practices for Designing the Active Directory Structure o
How
to Analyze and Manage Active Directory Replication Network Traffic on Your
Windows 2000 Server o
How
to Deploy a Windows 2000 Server Active Directory in Your Organization o
IT
Resources: Active Directory Branch Office Guide Series Study
Notes: Creating,
Configuring, Managing, Securing, and Troubleshooting File, Print, and Web
Resources q
Publish resources in
Active Directory. Types of resources include printers and shared folders. o
You can publish any
shared network folder, including a distributed file system (Dfs) folder,
in Active Directory. Creating a Shared folder object in Active Directory
does not automatically share the folder. It is a two-step process; you
must first share the folder, and then publish it in Active Directory o
Publishing a Shared
Folder in Windows 2000 Active Directory (Q234582) o
To publish a legacy
printer in Active Directory you can go to the following link to find step
by step directions: Here o
To publish a Normal
printer in Active Directory you can go to the following link to find step
by step directions: Here q
Perform
a search in Active Directory Users and Computers. o
Know
how to search for objects within the Directory for the exam. q
Configure
a printer object.
o
Know
how to create a print object (which is pretty easy) in the directory. Also
know how to use Group Policy for print object control. You can find a
large amount of information on how to do this with the following Q article o
Using
Group Policies to Control Printers in Active Directory (Q234270) q
Manage data storage.
Considerations include file systems, permissions, and quotas. o
If you are a member of
the Administrators group, you can enable quotas on NTFS volumes that
already contain files, Windows calculates the disk space used by all users
who have copied, saved, or taken ownership of files on the volume up to
that point. The quota limit and warning level are then applied to all
current users based on those calculations, and to users who begin using
the volume from that point on. You can then set different quotas, or
disable quotas, for individual or multiple users. You can also set quotas
for specific users who have not yet copied, saved, or taken ownership of
files on the volume. For example, you might want to set a quota limit of
50 megabytes (MB) for all users of \\server\share, while making sure two
users who work with larger files on the server have a 100 MB limit. If
both of these users already have files stored on \\server\share, you can
select both users and set their quota limit to 100 MB. However, if one or
both users do not have files stored on the server when you enable quotas,
you need to select the users in the Quota Entries window and then set
their quota limit to a value higher than the default for new users. q
Implement
NTFS and FAT file systems. o
Comparing
FAT and NTFS File Systems o
Clusters
cannot be 64 kilobytes (KB) or larger. If clusters were 64 KB or larger,
some programs (such as Setup programs) might calculate disk space
incorrectly. o
A
volume must contain at least 65,527 clusters to use the FAT32 file system.
You cannot increase the cluster size on a volume using the FAT32 file
system so that it ends up with less than 65,527 clusters. o
The
maximum possible number of clusters on a volume using the FAT32 file
system is 268,435,445. With a maximum of 32 KB per cluster with space for
the file allocation table (FAT), this equates to a maximum disk size of
approximately 8 terabytes (TB). o
Limitations
of FAT32 File System (Q184006) o
Windows
2000 contain new features that are available only with the NTFS file
system. This article outlines the features and advantages of converting to
the NTFS file system with Windows 2000. These features require on-disk
data structures that make these volumes unavailable to Windows NT
4.0-based computers. In anticipation of dual- boot scenarios, upgrade
Windows NT 4.0 to SP4 before starting the Windows 2000 installation.
Windows NT 4.0 cannot interpret the version of NTFS included with Windows
2000 correctly. However, there is an updated Ntfs.sys driver in Windows NT
4.0 Service Pack 4 that enables Windows NT 4.0 to read from and write to
NTFS volumes in Windows 2000. ·
Disk
quotas.
Administrators can limit the amount of disk space users can consume on a
per-volume basis. The three quota levels are: Off, Tracking, and Enforced.
·
Encryption.
The NTFS file system can automatically encrypt and decrypt file data as it
is read and written to the disk. ·
Reparse
points.
Programs can trap open operations against objects in the file system and
run their own code before returning file data. This feature can be used to
extend file system features such as mount points, which you can use to
redirect data read and written from a folder to another volume or physical
disk. ·
Sparse
files.
This feature allows programs to create very large files, but to consume
disk space only as needed. ·
USN
Journal.
This feature provides a persistent log of all changes made to files on the
volume. This feature is one of the reasons that Windows 2000 domain
controller must use an NTFS partition as the system volume. q
Implement
and configure Encrypting File System (EFS). o
How
to Encrypt Data Using EFS in Windows 2000 (Q230520) o
You
can use the Windows 2000 EFS to encrypt files to prevent unauthorized
individuals from viewing the contents of the files. To encrypt and decrypt
files, a user must have a file encryption certificate. If the file
encryption certificate is lost or damaged, access to the files is lost. o
Data
recovery is possible through the use of a recovery agent. A user account
of a trusted individual can be designated as a Recovery Agent so that a
business can retrieve files in the event of a lost or damaged file
encryption certificate or to recover data from an employee that has left
the company. o
One
of the many advantages of using Windows 2000 domains is that you can
configure a domain EFS recovery policy. In a default Windows 2000
installation, when the first domain controller (DC) is set up, the domain
administrator is the specified recovery agent for the domain. The domain
administrator can log on to the first DC in the domain, and then change
the recovery policy for the domain. o
If
you want to create additional recovery agents, the user accounts must have
a file recovery certificate. If available, a certificate can be requested
from an enterprise CA that can provide certificates for your domain.
However, EFS does not require a CA to issue certificates, and EFS can
generate its own certificates to user and to default recovery agent
accounts. q
Configure
volumes and basic and dynamic disks. o
HOW
TO: Use Disk Management to Manage Basic and Dynamic Disks in Windows 2000
(Q308209) o
Basic
disk storage supports partition-oriented disks. A basic disk is a physical
disk that contains basic volumes (primary partitions, extended partitions,
or logical drives). If you upgraded your computer to Windows 2000 from
Microsoft Windows NT 4.0, basic disks may also contain spanned, mirrored,
striped, and RAID-5 volumes if they were present in the previous operating
system. You can create up to four primary partitions on a basic disk, or
up to three primary partitions and one extended partition. You can also
use free space on an extended partition to create logical drives. o
Dynamic
disk storage supports volume-oriented disks. A dynamic disk is a physical
disk that contains dynamic volumes. With dynamic disks, you have the
ability to create simple volumes, volumes that span multiple disks
(spanned and striped volumes), and fault-tolerant volumes (mirrored and
RAID-5 volumes). Dynamic disks can contain an unlimited number of volumes. q
Manage
a domain-based distributed file system (DFS). o
How
to Install Distributed File System (DFS) on Windows 2000 (Q241452) o
Distributed
file system (DFS) is used to make files distributed across multiple
servers appear to users as if they reside in one place on the network.
Because of this, users no longer need to know or specify the actual
physical location of files in order to obtain access to them. Dfs can be
implemented as stand-alone or domain-based. Domain-based Dfs has the
following advantages: o
Windows
2000 automatically publishes the Dfs topology in the Active Directory,
making it visible to users on all servers in the domain. o
The
administrator has the ability to replicate the Dfs roots and shared
folders to multiple servers in the domain. By doing so users are permitted
to obtain access to their files even if one of the physical servers on
which the files reside becomes unavailable. q
Manage
file and folder compression. o
HOW
TO: Compress and Expand Files and Folders in Windows 2000 (Q314958) o
Compact.exe
is the command-line version of the file and folder compression feature in
Windows 2000. Use Compact to compress, to decompress, or to display the
compression state of files and folders on NTFS file system-formatted
volumes. o
Compress.exe
is a command-line utility that you can use to compress one or more files.
This tool is included in the Microsoft Windows 2000 Resource Kit. o
When
you use Compress to compress files, you must use Expand.exe to expand the
compressed file before you can open it. q
Create
shared resources and configure access rights. Shared resources include
printers, shared folders, and Web folders. o
Know
how to share objects out. Then assign Rights to them o
Know
how to share folders and enable Web sharing q
Configure
and troubleshoot Internet Information Services (IIS). o
IT
Resources for Supporting and Maintaining IIS o
Deploying
Windows 2000 with IIS 5.0 for Dot Coms: Best Practices q
Configure
virtual directories and virtual servers. o
Internet
Information Server 5.0 Resource Kit o
Internet
Information Server 4.0 Resource Kit q
Troubleshoot
Internet browsing from client computers. o
Know
how to troubleshoot the Internet Explorer client inside and out. Know how
to check the proxy settings if using a proxy server and how they should be
configured. Know the basic
error codes you would get from the web server if not reachable like 400
and 500 errors q
Troubleshoot
intranet browsing from client computers. o
Same
as above. Know how to configure the browser to bypass the proxy for
Intranet servers q
Configure
authentication and SSL for Web sites. o
SSL
will be configured within the IIS web server properties to have Secure
Socket Layer transmission o
HOW
TO: Configure IIS 5.0 Web Site Authentication in Windows 2000 (Q310344) o
Anonymous
access:
When Anonymous access is enabled, no credentials are required to access
the site unless NTFS permissions are placed on the Web site folders to
control access. To edit the properties of the anonymous user account,
click Edit in the Anonymous access box. o
Basic
authentication:
If Basic authentication is enabled, the user credentials are sent in clear
text. This format provides a low level of security because almost all
protocol analyzers can read the password. However, it is compatible with
the widest number of Web clients. If Basic authentication is enabled, you
can click Edit and set a default domain for user accounts. o
Digest
authentication:
Digest authentication works for Internet Explorer 5.0 and later Web
clients and for Web servers that belong to a Windows 2000 domain. It has
the advantage of not sending user credentials in clear text. o
Integrated
Windows authentication:
Integrated Windows authentication can use both the Kerberos v5
authentication protocols and its own challenge/response authentication
protocol. This option is a more secure authentication option. However, it
only works for Internet Explorer 2.0 or later and Kerberos authentication
does not work over HTTP connections. q
Configure
FTP services. o
Know
how to configure basic FTP services within IIS q
Configure
access permissions for intranet Web servers.
o
Secure
Internet Information Services 5 Checklist q
Monitor and manage
network security. Actions include auditing and detecting security
breaches. o
HOW TO: Enable and Apply
Security Auditing in Windows 2000 (Q300549) o
It is important that you
protect your information and service resources from people who should not
have access to them, and at the same time make those resources available
to authorized users. This article describes how to use Windows 2000
security features to audit access to resources. o
You can configure the
security logs to record information about either directory and file access
or server events. You can set this level of auditing by using Audit
Polices in Microsoft Management Console (MMC). These events are logged in
the Windows Security log. The Security log can record security events,
such as valid and invalid logon attempts, as well as events that are
related to resource use, such as creating, opening, or deleting files. You
need to log on as an administrator to control what events are audited and
displayed in the Security log. o
IMPORTANT: Before Windows
2000 can audit access to files and folders, you must use the Group Policy
snap-in to enable the Audit Object Access setting in the Audit Policy. If
you do not, you receive an error message when you set up auditing for
files and folders, and no files or folders are audited. After you enable
auditing in Group Policy, view the Security log in Event Viewer to review
successful or failed attempts to access the audited files and folders. Configuring,
Administering, and Troubleshooting the Network Infrastructure q
Troubleshoot routing.
Diagnostic utilities include the tracert command, the ping
command, and the ipconfig command. o
To test a TCP/IP
configuration by using the ping command o
To quickly obtain the
TCP/IP configuration of a computer, open Command Prompt, and then type
ipconfig. From the display of the ipconfig command, ensure that the
network adapter for the TCP/IP configuration you are testing is not in a
Media disconnected state. o
At the command prompt,
ping the loopback address by typing ping 127.0.0.1. o
Ping the IP address of
the computer. o
Ping the IP address of
the default gateway. o
If the ping command
fails, verify that the default gateway IP address is correct and that the
gateway (router) is operational. o
Ping the IP address of a
remote host (a host that is on a different subnet). o
If the ping command
fails, verify that the remote host IP address is correct, that the remote
host is operational, and that all of the gateways (routers) between this
computer and the remote host are operational. o
Ping the IP address of
the DNS server o
If the ping command
fails, verify that the DNS server IP address is correct, that the DNS
server is operational, and that all of the gateways (routers) between this
computer and the DNS server are operational. o
To display the basic
TCP/IP configuration: ipconfig o
To display the full
TCP/IP configuration for all adapters, type: ipconfig /all o
To renew a DHCP-assigned
IP address configuration for only the Local Area Connection adapter, type:
ipconfig /release and /renew o
To flush the DNS resolver
cache when troubleshooting DNS name resolution problems, type: ipconfig /flushdns q
Configure and
troubleshoot TCP/IP on servers and client computers. Considerations
include subnet masks, default gateways, network IDs, and broadcast
addresses. o
You need to know the
basics of troubleshooting here. Know how to configure IP on a workstation
or a server, subnet it, put a mask on it and know the basic fundamentals
of what makes up an IP address. q Configure, administer, and troubleshoot DHCP on servers and client computers. q
Dynamic
Host Configuration Protocol for Windows 2000 q
Chapter
4 - Dynamic Host Configuration Protocol (Resource Kit Chapter) q
Managing
TCP/IP Addresses On Your Network With DHCP q
Windows
2000 Server Documentation - DHCP q
Detect
unauthorized DHCP servers on a network. o
Unauthorized
DHCP Server Detection o
The
Microsoft DHCP server for Windows 2000 is designed to prevent unauthorized
DHCP servers from creating address assignment conflicts. This solves
problems that could otherwise occur if naïve users created unauthorized
DHCP servers that could assign improper or unintended IP addresses to
clients elsewhere on the network. For example, a user could create what
was intended to be a local DHCP server, using non-unique Net 10 addresses
that could lease the addresses to unintended clients requesting addresses
from elsewhere on the network. This is one reason to keep the number of
DHCP servers deployed at a minimum, as described in Best Practices, below.
However, most of these events are accidental, where a second DHCP server
is installed by someone who is unaware of other DHCP servers already
active on the network o
The
DHCP server for Windows 2000 has management features to prevent
unauthorized deployments and to detect existing unauthorized DHCP servers.
In the past, anyone could bring up a DHCP server on a network. Today, an
authorization step is required. These authorized personnel are usually the
administrator of the domain that the Windows 2000 Server platform belongs
to or someone to whom they have delegated the task of managing the DHCP
servers. o
Protecting
Against Unauthorized DHCP Servers o
Active
Directory is now used to store records of authorized DHCP servers. When a
DHCP server comes up, the directory can now be used to verify the status
of that server. If that server is unauthorized, no response is returned to
DHCP requests. A network manager with the proper access rights has to
respond. The domain administrator can assign access to the DHCP folder
holding configuration data, to allow only authorized personnel to add DHCP
servers to the approved list. o
The
list of authorized servers can be created in the Active Directory through
the DHCP snap-in. When it first comes up, the DHCP server tries to find
out if it is part of the directory domain. If it is, it tries to contact
the directory to see if it is in the list of authorized servers. If it
succeeds, it sends out DHCPINFORM to find out if there are other directory
services running and makes sure that it is valid in others, as well. If it
cannot connect the directory, it assumes that it is not authorized and
does not respond to client requests. Likewise, if it does reach the
directory but does not find itself in the authorized list, it does not
respond to clients. If it does find itself in the authorized list, it
starts to service client requests. q
Configure
client computers to use dynamic IP addressing. o
Know
how to set up a client to get an IP from a DHCP server. Pay attention to
any broadcasts that need to pass a router and to configure a relay agent q
Configure
DHCP server properties. o
DHCP
Scopes:
A DHCP scope is an administrative grouping that identifies the full
consecutive ranges of possible IP addresses for all DHCP clients on a
physical Subnetwork. Scopes define a logical Subnetwork for which DHCP
services are to be offered, and also allow the server to identify
configuration parameters that are given to all DHCP clients on the
Subnetwork. A scope must be defined before DHCP clients can use the DHCP
server for dynamic TCP/IP configuration. o
Address
Pools:
Once a DHCP scope is defined and exclusion ranges are applied, the
remaining addresses form what is called an available address pool within
the scope. Pooled addresses may then be dynamically assigned to DHCP
clients on the network. o
Exclusion
Ranges:
An exclusion range is a limited sequence of IP addresses within a scope
range that are to be excluded from DHCP service offerings. Where exclusion
ranges are used, they ensure that any addresses within the defined
exclusion range are not offered to clients of the DHCP server. o
Reservations:
Reservations allow permanent address lease assignment by the DHCP server.
Where reservations are used, they ensure that a specified hardware device
on the Subnetwork can always use the same IP address. o
Superscopes:
An administrative feature included within the Microsoft DHCP Manager tool
can be used to create a number of distinct scopes, which are grouped
together into a single administrative entity called a superscope.
Superscopes are useful for solving several different DHCP service issues. o
Leases:
As noted, a lease is the length of time that that a DHCP server specifies
that a client computer can use an assigned IP address. When a lease is
made to a client, it is described as active. At half-lease period, the
client must renew its address lease assignment with the server. The
duration of leases affects how often clients attempt to renew those they
have been assigned with the DHCP server. o
DHCP
Options:
DHCP Options are other client-configuration parameters that a DHCP server
can assign when serving leases to DHCP clients. For example, IP addresses
for a router or default gateway, WINS servers, or DNS servers are commonly
provided for a single scope or globally for all scopes managed by the DHCP
server. Many DHCP options are predefined through RFC 2132, but the
Microsoft DHCP server also allows defining and adding custom options. q
Create
and configure a DHCP scope.
o
A
scope is an administrative grouping of computers for a Subnetwork using
DHCP service. Administrators create a scope for each physical Subnetwork,
which is then used to define parameters used by clients for this
Subnetwork. Scopes can be planned based on the needs of particular groups
of users, with appropriate lease durations defined for the related scopes.
A scope has the following properties: §
A
range of possible IP addresses from which to include or exclude addresses
used in DHCP service lease offerings. §
A
unique subnet mask to determine the subnet related to a given IP address. §
A
scope name assigned when the scope is created. §
Lease
duration values to be assigned to DHCP clients that receive dynamically
allocated IP addresses. §
Reservations.
§
Options.
o
A
DHCP scope consists of a pool of IP addresses on a Subnetwork, such as
10.0.0.1 to 10.0.0.100, that the DHCP server can lease to DHCP clients.
Each physical network can have only one DHCP scope or a superscope with
one or more ranges of IP addresses. q
Configure, administer,
and troubleshoot DNS. q
Configure
DNS server properties. o
Download
this huge whitepaper. It will tell you everything you need to know to
configure all aspects of Windows 2000 DNS services: Here q
Other
networking Services
o
Know
the basics of HOST, LMHOSTS, WINS and DNS q Work on Configuring, Managing, Securing, and Troubleshooting Active Directory Organizational Units and Group Policy q
Create, manage, and
troubleshoot User and Group objects in Active Directory. o
This URL pretty much goes
over the whole Active Directory Process: Here o
Linking Group Policy
Objects to Active Directory Containers o
Any site, domain, or OU
may be associated with any Group Policy Object. As shorthand, we will use
the acronym SDOU to mean a site, domain, or OU. o
A given GPO can be
associated (linked) to more than one site, domain, or OU. Conversely, a
given site, domain, or OU can have multiple GPOs linked to it. In the case
where multiple GPOs are linked to a particular site, domain, or OU, you
can prioritize the order of precedence in which these GPOs are applied. o
By linking GPOs to Active
Directory sites, domains, and OUs, you can implement Group Policy settings
for as broad or as narrow a portion of the organization as you want: o
A GPO linked to a site
applies to all users and computers in the site. o
A GPO applied to a domain
applies directly to all users and computers in the domain and by
inheritance to all users and computers in child OUs. Note that policy is
not inherited across domains. o
A GPO applied to an OU
applies directly to all users and computers in the OU and by inheritance
to all users and computers in child OUs. o
GPOs are stored on a
per-domain basis, however, you can link a site, domain, or OU to a GPO in
another trusted domain, although this is not recommend in general for
performance reasons. Configuring,
Securing, and Troubleshooting Remote Access q
Configure and
troubleshoot remote access and virtual private network (VPN) connections. o
All you need to know on
how to configure a Win2K
VPN
©2000
www.CERTguide.com
| Hot!!! - CERTguide's FREE Online
Practice exams are now located at |