70-290 Concepts: Remote Server Management and IIS

graduation·          The Remote Assistance feature is turned on by default in WinXP Pro, but is turned off by default on Server 2003. Requires both systems to be XP or 2003

·          Requests can be sent via e-mail, Windows Messenger, or via an RA File. TCP port 3389 inbound is required to be open on the firewall.

·          You can connect to a terminal server’s local console by using the mstsc.exe /console command, or via the MMC

·          IIS 6 is not installed by default, but be installed via add/remove programs, 404 errors are provided for any feature not installed

·          IIS logs are, by default, located in %windir%\System32\Logfiles\W3svc1

·          IIS metabase (configuration) contains all important information, using an XML format %systemroot%\system32\inetsrv\metabase.xml

You can important an entire IIS metabase from one computer to another using iisback.vbs or iiscnfg.vbs /copy.

70-290 Concepts: Server Performance and Troubleshooting

graduation·          The event viewer can only open log files stored in the .evt format, but can save as .txt or .csv

·          To sort entries or to view a subset of entries for a log, you can use a filter

·          The system monitor displays both real time and logged performance data via the perfmon.msc – task manager displays a simple subset

·          The performance logs and alert tools is also a node within the performance mmc snap-in and supports logged performance monitoring and alerts through event triggers. Export as .blg .csv .tsv .sql

·          You measure a computers performance y specifying performance objectives, performance counters and instances of those selected performance objects.

·          The system monitor tool opens with three sets of performance objects:

o    Memory: pages/sec – the value should be between 0-20; not constantly higher than 20

o    Processor: % Processor time: _Total: This should remain consistently below 85%

o    Physical Disk: Avg. Disk Queue Length:_Total: This should remain between 0-2; not constantly higher than 2

·          Task manager >  network performance, should be lower than 30%

·          Licensing icon in the control panel lets you configure licensing for the local server. Enterprise version lets you do it site/domain wide; must be an administrator and licensing service must be started – default is disabled.

·          IIS 6 and the Internet Printing Protocol (IPP) must be installed on a server if you want to enable users to connect to printers using port 80 and their web browsers.  (http://server01/printers an http://server01/printername/.print)

·          For Windows Server Update Services (WSUS) to work properly, the target computer must have the Automatic Updates software installed. Already installed on (2000 SP3, XP SP1, 2003); NT, ME, 9x are not supported. Two GP settings are required: configure automatic updates & specify intranet MS Update Service – both are under Config\Admin Templates\Windows Comp\Windows Update

·          Use the RUN AS command to run programs and utilities as a different user. (runas /user:domain\username cmd)

70-290 Concepts: Storage

graduation·          Basic Disks use partitions, not volumes, and they can store up to four primary partitions, and one extended partition with logical drives

·          Dynamic Disks use volumes, not partitions, and you can create: simple, spanned, striped, mirrored or RAID-5 volumes.

·          You can use either the Disk Management console or the diskpart.exe utility to work with disk storage.

·          FAT32 (vs FAT) requires W95 OSR2 or higher, increases bits, supporting 2TB, less slack space.

·          Only Windows 2000 (Server/Professional) or higher support dynamic disks.

·          Only Windows Server 2003 and 2000 support striped, mirrored and RAID-5 dynamic disks

·          You can convert a basic disk to dynamic, however converting from dynamic to basic will result in data loss

·          You can use convert c: /fs:ntfs to convert a FAT to NTFS filesystem.

·          When moving disks to another Window Server 2003 Computer, choose rescan from the menu bar in Disk Management; right-click on any disked marked foreign and select Import Foreign Disks.

·          Using diskpart.exe, you can extend a basic partition, but it must be formatted as NTFS and the free space must be contiguous.

·          Spanned volumes cannot be mirrored or striped, and spanned volumes are not fault tolerant

·          Boot volumes, system volumes, striped volumes, mirrored volumes, and RAID-5 volumes cannot be extended (spanned)

·          The boot partition or volume is the drive letter where the Windows Server 2003 operating system files are stored (i.e. c:\windows). The system partition or volume is where the system startup files are stored (i.e. ntldr, ntdetect.com ntbootdd.sys and boot.ini). This is the reverse of the “logical” answer!

·          Spanning uses two or more separate physical dynamics disk to increase the storage capacity of a single drive. Data is written in a linear method, not storing on the second drive until the first is full. Benefit of increased logical storage. No fault tolerance or performance increase.

·          RAID-0 (Striped) use two or more separate physical dynamic disks to store alternating bits of data (striped). This permits the logical drive to equal the total size of all drives, as well as increasing read and write speeds. To repair: install new disk, upgrade to dynamic, delete volume, create new volume, restore.

·          RAID-1 (Mirror volumes) use two separate physical dynamic disks to store identical (mirrored) copies of data, simultaneously, creating redundancy – total storage equals the size of the smaller drive. To repair: install new disk, update to dynamic, break mirror, right-click on new drive – “add to mirror”

·          RAID-5 (Striping with Parity) use of 3 or more (32 max) physical dynamic disks to store data stripped across multiple drives, with a ‘parity’ bit written to the alternate drive. The loss of a single drive is recoverable, the loss of 2 or more drives is unrecoverable – total storage equals the total of all drives minus 1 drive. There is a slightly performance degradation in write operations due to this process.

70-290 Concepts: Networking/Terminal Services

graduation·          Under Windows Server 2003, the default share permissions are Everyone: Allow Read (previously Full Control in Server 2000)

·          Under Windows Server 2003, the default NTFS permissions are Administrator/System/Owner: Full Control; Users: Allow Modify


·          NTFS permissions are cumulative, with deny always overrides; share permissions + NTFS = lowest takes precedent.

·          Share folders cannot be renamed; share folders with a postfix of $ will be hidden in Network Places.

·          Quotas: admin @ unlimited; assigned per-user/per-drive. Not assignable to groups; based on file size regardless of disk compression

·          Shadow copies automatically backup copies of shared folders at scheduled times, must be NTFS formatted, setup per volume, must have client software installed and accessed via UNC (\\server\share)

·          Terminal Services (TS) Licensing: Remote Administration Mode: 2 concurrent users max; Application Server: need per client license for every client

·          TS management, permitting to view/connect/disconnect/logoff/send message/remote control

·          TS configuration permitting control over Active Desktop/temp files/encryption level/local resources/etc.

·          Should use tsshutdn.exe instead of shutdown since it will notify remote users of the restart.

·          Control of remote desktop on server via right-click My Computer > Properties > Remote

·          The print spooler service loads files to memory for printing, if there is a problem restart the service.

·          Terminal Services Licensing server:

o    Terminal Servers first check their registry for a possible pointer to a license server; then they query

o    Enterprise License Server which can run on a DC or member servers; registered existence in AD for the local site only; then they query

o    Domain Licensing Server: only exists on domain controllers


70-290 Concepts: User/Groups/Computers

graduation·          Active Directory under Windows Server 2003 supports four levels of domain functionality:

o    Windows 2000 mixed: Pre-windows 2000 domain controllers and servers

o    Windows 2000 native: All domain controllers windows 2000 or greater

o    Windows Server 2003 interim: All domain controllers are Windows 2003 or greater (only used for NT 4 upgrades to server 2003)

o    Windows Server 2003: All domain controllers are Windows 2003 or greater

·          Switching domain functionality is a one way operation only: upgrade

·          Windows Server 2003 Supports three levels of Active Directory Forrest functionality:

o    Windows 2000: Base level, all domain controllers are Windows NT 4 or greater

o    Windows 2003 interim: All domain controllers are Windows NT4 or 2003 – not Server 2000 DC’s

o    Windows 2003: All domain controllers are Windows 2003 or greater

·          You can create a user account in three different ways:

o    Create the user in AD using ADUC (Active Directory Users and Computers) MMC

o    CSVDE.exe command line tool

o    LDIFe.exe command line tool

·          CSVde.exe can be used to import users from a CSV file, as well as import and export data from Active Directory

·          LDIFde.exe exports/imports data from Active Directory using the LDAP Data Interchange Format (LDIF).

·          You can create a computer account in three ways:

o    Logon to each workstation and join it to the domain

o    Pre-stage the computer in AD using the ADUC (Active Directory User and Computer) MMC

o    Pre-stage the computer using DSADD.exe command line utility

·          A non-administrator can join up to 10 workstations to the domain using their ordinary credentials

·          You need to restart the computer account (in Active Directory) if:

o    The session setup from the computer domain member failed to authenticate: “The following error occurred: access is denied.”

o    NETLOGON event: 3210: failed to authenticate with \\domaindc.

·          Groups can be assigned as:

o    Security groups, which define logical groups of objects, which may be nested, and also be an e-mail distribution group.

o    Distribution groups, which are used specifically for the purpose of e-mail distribution and cannot be applied security permissions.

o    You can change the designation at any time provided the domain is functioning in Server 2000 Native or higher.

·          You can assign security groups in universal groups in Windows 2000 native or higher.

·          Single-domain: A-G-DL-P: Accounts placed in Global groups, placed in Domain Local groups, and Permissions are assigned to resources from the domain local groups.

·          Multi-domain: A-G-U-DL-P: Accounts placed in Global groups, which are then included in Universal groups, which are then placed in Domain Local groups, and assigned Permissions to local resources.

70-294 Concepts: Active Directory Restore

  • graduationDelete OU which was replicared, need t o perform authoratative restore (not lostandfound; when below is not available)
  • Delete ou which was replicated, need to perform non-auth restore, and then mark single OU as auth (more granular than above, when available as an answer)
  • Failued of hard drive on one dc (multi dc enviro), non-authoriataive restore
  • Any restore of AD requires DSRM (Directory Services Restore Mode) – boots local uses local username/password SAM; no GPO applied
  • Safe mode still boots AD, but does not apply GPO on DC
  • Use NTDSUTIL to reset DSRM password on each DC seperately
  • Rombstone lifespan should be greater than backup interval, use ADSIedit, script or ldp.exe to modify time (default 60 days)

70-294 Concepts: Orangization Units Design

graduationWhen designing your 0rganizational units within a domain:

  • Design first based on administrative needs
  • Layout using consistant hierarchy:
    • Nested/layered/Hybrid design okay (Physical site/business units; bu/site; etc)
    • Avoid hybrid designs on the same level (PS/BU at the same level, hierachial, okay)
    • If using sites for OU’s, avoid a design which omits a site (same with Business units)
  • Use OU’s with Delegation of authority instead of child domains when possible (q89)
  • When mutiple administrators are working in AD, and one moved objects into an OU, just deleted by another admin (but neither DC has replicated yet), the contents of the deleted OU go to the LostandFound folder.
  • If you delete an OU, the contents of the OU go as well (except per above)
  • Replication occours at the feature level in 2000; vs value level in 2003 – reducing replication collissions resulting in latest-takes-precident

70-294 Concepts: Preferred Bridgehead Server

Here are the design considerations when evaluating a Preferred Bridgehead Server for multi-site deployments of Active Directory:

  • It is best practice to have more than one bridgehead server per site.
  • But if you want to “control” or “manage” site-to-site-replication, you must only choose one preferred bridgehead server.
  • If replication fails in a 3+ site environment, and there are preferred bridgehead servers, change the bridgehead server. Non-fully IP Routable networks may require another (non problem) site to replicate to and the failed PBHS may reside there
  • To avoid single point of failure with PBHS, you need to either have multiple PBHS at each site, or NONE – but this will reduce management.
  • If poor performance on a DC (which is also an app server) make another DC the PBHS, typically the RRAS DC if there is one.
  • Use PBHS for controlling replication traffic, not GC
  • PBHS can be configured for IP and/or SMTP (seperately)
  • Use IP by default, SMTP for unreliable connections
  • SMTP requires a Enterprise Certificate Authority (ECA)

70-294 Concepts: Active Directory Site Links

graduationWhen designing Active Directory Site Links:

  • On non-fully IP routed networks, disable automatic site links, implement a site link bridge
  • A site link is a set of sites which communicate at the same cost, and can be automatically configured to route in a redundant path between sites within a site-link
  • In a fully routed network, you do not need site link bridges unless you wanted to specifically control the flow of replication changes.
  • Controls which sites are connected and at what cost, but does not directly control which servers replicate with one another, this would be the role of a Preferred Bridgehead Server
  • Best Practice to create site links from corporate to branches, little benefit in having a tiered site line corp->branch->branch
  • You cannot create site-links between networks which are not IP routed
  • Site link bridging is used when an IP network is not fully routed; or if replication is not converging properly (used when site’s are 2+ hops away)
  • Site links are for same domain only, and are between IP-routable networks unless you use a ip bridge to connect two non-routable network in the same domain;
  • If two non-routable domains are separated by a site in a different domain, you will need to have a DC setup in that site or you will need a routable network
  • IP Replication for single domain sites; SMTP not available

70-294 Concept: FSMO > Infrastructure Master

graduationHere are the design considerations surrounding the FSMO Role: Infrastructure Master:

  • This FSMO is responsible for tracking object changes in Active Directory
  • Like to be with the RID (since you place the RID where most changes occur)
  • Should not be on a GC Server, unless GC is installed on all DCs

Exam Alert: In general FSMO Roles should never be placed “anywhere”, they should always be placed somewhere intentionally; yet there are sometimes the “best answer” is “any other domain controller”.

Powered by WordPress.com.

Up ↑