www.dbeBooks.com - An Ebook Library PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2004 by Microsoft Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Cataloging-in-Publication Data Holme, Dan MCSA/MCSE Self-Paced Training Kit: Upgrading Your Certification to Microsoft Windows Server 2003: Managing, Maintaining, Planning, and Implementing a Microsoft Windows Server 2003 environment: Exams 70-292 and 70-296 / Dan Holme, Orin Thomas. p. cm. Includes index. ISBN 0-7356-1971-9 1. Electronic data processing personnel--Certification. 2. Microsoft software--Examinations--Study guides. 3. Microsoft Windows server. I. Thomas, Orin, 1973- II. Title. QA76.3.H669 2003 005.4'4765--dc22 2003058833 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 8 7 6 5 4 3 Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further informa­ tion about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to [email protected]. Microsoft, Microsoft Press, Active Directory, ActiveX, FrontPage, IntelliMirror, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Acquisitions Editor: Kathy Harding Project Editor: Karen Szall Technical Editor: Robert Lyon Body Part No. X10-00025 Dan Holme A graduate of Yale University and Thunderbird, the American Graduate School of International Management, Dan has spent 10 years as a consultant and a trainer, delivering solutions to tens of thousands of IT professionals from the most prestigious organizations and corporations around the world. His clients have included AT&T, Compaq, HP, Boeing, Home Depot, and Intel, and he has recently been involved supporting the design and implementation of Active Directory at enterprises includ­ ing Raytheon, ABN AMRO, Johnson & Johnson, Los Alamos National Laboratories, and General Electric. Dan is the Director of Training Services for Intelliem, which specializes in boost­ ing the productivity of IT professionals and end users by creating advanced, custom­ ized solutions that integrate clients’ specific design and configuration into productivity- focused training and knowledge management services ([email protected]). From his base in sunny Arizona, Dan travels to client sites around the world and then unwinds on his favorite mode of transportation—his snowboard. It takes a village to raise a happy geek, and Dan sends undying thanks and love to those, without whom, sanity would be out of reach: Lyman, Barb & Dick, Bob & Joni, Stan & Marylyn & Sondra, Mark, Kirk, John, Beth, Dan & June, Lena and the entire crazy commando crew. Orin Thomas Orin is a writer, an editor, and a systems administrator who works for the certification advice Web site Certtutor.net. His work in IT has been varied: he’s done everything from provid­ ing first-level networking support to acting in the role of sys­ tems administrator for one of Australia’s largest companies. He has authored several articles for technical publications as well as contributing to The Insider’s Guide to IT Certification. He holds the MCSE, CCNA, CCDA, and Linux+ certifications. He holds a bachelor’s degree in science with honors from the Uni­ versity of Melbourne and is currently working toward the com­ pletion of a Ph.D. in Philosophy of Science. Orin would like to thank his beautiful, amazing wife, Oksana, for being more wonderful and loving than he could ever have dreamed. Orin wants to thank their son, Rooslan, for making fatherhood so easy and fun. He would also like to thank the following friends and fam­ ily: Ma, Mick, Lards, Gillian, Lee, Neil, Will, Jon, Alexander, Irina, Stas, and Kasia as well as the entire Certtutor.net tutor team, who offer great free advice to those who are interested in getting certified. Contents at a Glance Learn at Your Own Pace Part 1 1 Introduction to Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 2 Implementing an Active Directory Infrastructure . . . . . . . . . . . . . . . . . . . 2-1 3 Managing and Maintaining an Active Directory Implementation. . . . . . . 3-1 4 Managing Users, Groups, and Computers . . . . . . . . . . . . . . . . . . . . . . . . 4-1 5 Planning, Implementing, and Troubleshooting Group Policy . . . . . . . . . . 5-1 6 Managing the User Environment with Group Policy . . . . . . . . . . . . . . . . . 6-1 7 Planning a Host Name Resolution Strategy. . . . . . . . . . . . . . . . . . . . . . . 7-1 8 Implementing, Managing, and Maintaining Name Resolution. . . . . . . . . 8-1 9 Planning and Implementing Server Roles and Security. . . . . . . . . . . . . . 9-1 10 Managing and Maintaining a Server Environment. . . . . . . . . . . . . . . . .10-1 11 Securing Network Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-1 12 Creating and Managing Digital Certificates . . . . . . . . . . . . . . . . . . . . . .12-1 13 Managing and Implementing Disaster Recovery . . . . . . . . . . . . . . . . . .13-1 14 Clustering Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-1 Prepare for the Exam Part 2 15 Exam 70-292—Managing Users, Computers, and Groups (1.0) . . . . . .15-1 16 Exam 70-292—Managing and Maintaining Access . . . . . . . . . . . . . . .16-1 to Resources (2.0) 17 Exam 70-292—Managing and Maintaining a . . . . . . . . . . . . . . . . . . . .17-1 Server Environment (3.0) 18 Exam 70-292—Managing and Implementing Disaster . . . . . . . . . . . . .18-1 Recovery (4.0) 19 Exam 70-292—Implementing, Managing, and Maintaining Name . . .19-1 Resolution (5.0) 20 Exam 70-292—Implementing, Managing, and Maintaining . . . . . . . . .20-1 Network Security (6.0) 21 Exam 70-296—Planning and Implementing Server Roles and . . . . . .21-1 Server Security (1.0) 22 Exam 70-296—Planning, Implementing, and Maintaining a . . . . . . . .22-1 Network Infrastructure (2.0) v vi Contents at a Glance 23 Exam 70-296—Planning, Implementing, and Maintaining . . . . . . . . . 23-1 Server Availability (3.0) 24 Exam 70-296—Planning and Maintaining Network Security (4.0) . . . . 24-1 25 Exam 70-296—Planning, Implementing, and Maintaining . . . . . . . . . 25-1 Security Infrastructure (5.0) 26 Exam 70-296—Planning and Implementing an Active . . . . . . . . . . . . 26-1 Directory Infrastructure (6.0) 27 Exam 70-296—Managing and Maintaining an Active . . . . . . . . . . . . . 27-1 Directory Infrastructure (7.0) 28 Exam 70-296—Planning and Implementing User, Computer, . . . . . . . 28-1 and Group Strategies (8.0) 29 Exam 70-296—Planning and Implementing Group Policy (9.0) . . . . . . 29-1 30 Exam 70-296—Managing and Maintaining Group Policy (10.0) . . . . . . 30-1 Contents at a Glance vii Practices Verifying System Compatibility with Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . 1-12 Exploring Windows Server 2003 New Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-31 Installing Active Directory, Configuring a Global Catalog Server, and Enabling Universal Group Membership Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18 Raising Forest and Domain Functional Levels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-32 Managing Trust Relationships and UPNs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-35 Installing and Using the Active Directory Schema Snap-In . . . . . . . . . . . . . . . . . . . . . .3-50 Backing Up Active Directory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-70 Creating and Managing User Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-19 Changing the Group Type and Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-44 Securing and Troubleshooting Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-63 Implementing and Testing a GPO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-51 Generating RSoP Queries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-79 Managing Special Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-24 Deploying Software with Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-55 Specifying DNS Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-12 Designing a DNS Namespace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-20 Understanding DNS Server Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-32 Creating a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-34 Understanding DNS Security Techniques. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-45 Installing and Configuring a DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-19 Deploying a Secondary DNS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-39 Creating a Zone Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-58 Deploying a Stub Zone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-69 Deploying Role-BasedSecurity Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-30 Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-49 Remote Desktop For Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-22 Preparing Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-41 Administering IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-53 Creating an IPSec Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-21 Viewing a Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-7 Installing a Windows Server 2003 Certification Authority. . . . . . . . . . . . . . . . . . . . . .12-18 Requesting a Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-27 Performing Different Backup Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-8 Restoring Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-17 Advanced Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-34 Recovering from System Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-48 Creating a Network Load Balancing Cluster. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-26 Creating a Single Node Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-45 viii Contents at a Glance Tables Table 1-1 WindowsServer 2003Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . .1-8 Table 1-2 WindowsServer 2003Supported Upgrade Paths. . . . . . . . . . . . . . . . . . . . .1-10 Table 2-1 Features Enabled byDomain Functional Level . . . . . . . . . . . . . . . . . . . . . . .2-25 Table 2-2 Features Enabled byForest Functional Levels. . . . . . . . . . . . . . . . . . . . . . . .2-30 Table 3-1 Netdom Trust Command Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-31 Table 4-1 User Properties on the First Page of the New Object–User Dialog Box . . . . . .4-4 Table 4-2 User Properties on the Second Page of the New Object–User Dialog Box. . . .4-6 Table 4-3 User Account Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-8 Table 4-4 Parameters for the Dsquery.exe Command. . . . . . . . . . . . . . . . . . . . . . . . . .4-14 Table 4-5 Group Scope and Allowed Objects.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-30 Table 4-6 Windows Server 2003 Default Groups, Builtin Container . . . . . . . . . . . . . . .4-32 Table 4-7 Windows Server 2003 Default Groups, Users Container . . . . . . . . . . . . . . . .4-33 Table 4-8 WindowsServer 2003Special Identities. . . . . . . . . . . . . . . . . . . . . . . . . . . .4-34 Table 4-9 Ldifde.exe Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-40 Table 4-10 Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-51 Table 4-11 Account Lockout Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-52 Table 4-12 Kerberos Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-54 Table 5-1 Windows Server 2003 Default Administrative Templates . . . . . . . . . . . . . . .5-15 Table 5-2 Default GPO Permissions.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-38 Table 5-3 Permissions for GPO Scopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-47 Table 5-4 RSoP Query Results Column Descriptions for Software Settings . . . . . . . . .5-71 Table 5-5 RSoP Query Results Column Descriptions for Scripts . . . . . . . . . . . . . . . . . .5-71 Table 5-6 RSoP Query Results Tab Descriptions for Administrative Templates . . . . . .5-71 Table 5-7 Gpresult CommandParameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-75 Table 5-8 Group Policy Object Editor Console Troubleshooting Scenarios. . . . . . . . . . .5-87 Table 5-9 Group Policy Settings Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . .5-88 Table 5-10 Results of Your Investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-95 Table 6-1 Effects of Policy Removal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-13 Table 6-2 Folder Redirection and Offline Files Troubleshooting Scenarios . . . . . . . . . .6-22 Table 6-3 Software Deployment Approaches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-32 Table 6-4 Strategies and Considerations for Deploying Software . . . . . . . . . . . . . . . . .6-40 Table 6-5 Software Deployment Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . .6-71 Table 6-6 Software Restriction Policies Troubleshooting Scenarios. . . . . . . . . . . . . . . .6-91 Table 6-7 Wide World Importers Network Structure . . . . . . . . . . . . . . . . . . . . . . . . . . .6-94 Table 8-1 Typical Resource Record Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-9 Table 8-2 Zone Replication Options.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-29 Table 8-3 Default DNS Installation Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-45 Table 8-4 Name-Checking Methods.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-50 Table 9-1 Typical Member Server Service Assignments . . . . . . . . . . . . . . . . . . . . . . . . .9-9 Contents at a Glance ix Table 10-1 Common MMC Menus and Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . .10-5 Table 10-2 MMC User Modes.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-7 Table 10-3 Default Components of Terminal Server and Remote Desktop For Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-11 Table 10-4 Remote Desktop Client-Side Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . .10-12 Table 10-5 Remote Desktop Server-Side Settings . . . . . . . . . . . . . . . . . . . . . . . . . . .10-14 Table 10-6 IIS Directory Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-52 Table 10-7 IIS Application Execute Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-52 Table 11-1 NetworkSecurity Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-5 Table 12-1 Sample Certificate Plan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-12 Table 12-2 Advantages and Disadvantages of Internal and External CAs . . . . . . . . . 12-13 Table 14-1 Number of Nodes Supported When Scaling Out a Cluster . . . . . . . . . . . . . 14-8 Table 14-2 System Limitations When Scaling Up a Cluster . . . . . . . . . . . . . . . . . . . . .14-8 Table 14-3 NLB Configuration Advantages and Disadvantages . . . . . . . . . . . . . . . . . 14-19 Troubleshooting Labs Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-76 Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-68 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-95 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-97 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-55 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-74 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-73 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10-80 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11-37 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12-32 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13-55 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14-51 x Contents at a Glance Case Scenario Exercises Chapter 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-48 Chapter 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-48 Chapter 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-73 Chapter 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-66 Chapter 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-92 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-94 Chapter 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-53 Chapter 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-72 Chapter 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-71 Chapter 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-78 Chapter 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11-35 Chapter 12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12-31 Chapter 13 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13-52 Chapter 14 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14-49