70-291: Underpinnings of a Windows 2003 Network
This Microsoft exam requires you to show expertise with TCP/IP, DNS, DHCP, RRAS and ISA Server-as well as a few services not mentioned on the objectives list.
by Andy Barkl
10/8/2003 -- Exam 70-291 is similar to 70-218, Managing a Microsoft Windows 2000 Network Environment, which is required for Windows 2000 MCSAs. I took the exam in its beta form. I took the exam in its beta form, but it was made available August 14 (see "Exams 70-290, 70-291 Debut Aug. 14," in News). In this review, I'll walk you through the study areas I believe you should focus on in your preparation.
IP Addressing
The first exam objective that Microsoft lists is Implementing, Managing, and Maintaining IP Addressing. For this test you'll be expected to demonstrate knowledge of TCP/IP addressing and all facets of DHCP, including scopes, relay agents, reservations, databases, Automatic Private IP Addressing (APIPA) and a little troubleshooting of all the above.
You may find a few subnetting questions, misconfigured subnet masks and gateways, the ever present APIPA "default" addressing (169.254.x.x) and IPconfig results with errors to diagnose.
When it comes to DHCP, not much has changed in Windows 2003. You'll need to display knowledge of server placement (local, remote or in the middle). If you place servers locally, DORA (Discover, Offer, Request and Acknowledgements) traffic remains on the segment; but if the local server is unavailable or out of addresses, the recommended 75/25 rule should be followed: Place 75 percent of your scopes addresses on the local server and 25 percent as backup on a remote-segment server.
Tip: Windows 2003 DHCP can use Windows Clustering. This allows two or more servers to be managed as a single system and allows a local backup server.
You should know how to calculate, configure and troubleshoot such a split. Configuring scopes with options such as router (003), DNS server address and domain name and WINS (044 and 046) options and understanding default name resolution order is required knowledge for this exam. The DNS name resolution order is: local cache, hosts file, DNS, WINS, broadcast and LMHOSTS file.
| Table 1. Requirements for each of the certification paths. Exam 70-291 satisfies a core requirement for the MCSA-Windows 2003 and MCSE-Windows 2003. |
| Core Exams MCSA-Windows 2003 |
Core Exams MCSE-Windows 2003 |
Accelerated Path
MCSA-Windows 2000
|
Accelerated Path MCSE-Windows 2000 |
Normal Path MCSA-Windows 2000 |
| 70-290: Managing and Maintaining a Windows Server 2003 Environment |
70-292: Managing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 |
70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure |
| 70-291: Implementing, Managing and Maintaining a Windows Server 2003 Network Infrastructure |
| x |
70-293: Planning and Maintaining a Windows Server 2003 Network Infrastructure |
No other core or elective requirements necessary for MCSA-Windows 2000. |
70-296: Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000 |
70-294: Planning, implementing and Maintaining a Windows Server 2003 Active Directory Infrastructure |
| 70-294: Planning, implementing and Maintaining a Windows Server 2003 Active Directory Infrastructure |
| Core Client (take one) |
No other core or elective requirements necessary for MCSE-Windows 2000. |
No additional Core Client Exam required. |
| 70-210: Installing, Configuring and Administering Windows 2000 Professional |
| 70-270: Installing, Configuring and Administering Windows XP Professional |
| xxx |
Core Design (take one) |
Core Design (take one) |
| 70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure (Note: May be used as Design requirement or elective, but not both) |
70-297: Designing a Windows Server 2003 Active Directory and Network Infrastructure (Note: May be used as Design requirement or elective, but not both) |
| 70-298: Designing Security for a Windows Server 2003 Network (Note: May be used as Design requirement or elective, but not both) |
70-298: Designing Security for a Windows Server 2003 Network (Note: May be used as Design requirement or elective, but not both) |
|
|
Name Resolution
The next heading exam objective listed is Implementing, Managing and Maintaining Name Resolution. This is all about DNS. Windows 2003 offers a new zone type that you'll want to study and try out—stub—and a feature called Conditional Forwarding.
As Bill Boswell explains in his book, Inside Windows Server 2003, "A stub zone is used in place of delegation records when configuring a parent DNS server to send referrals to delegated DNS servers in a child domain." A stub zone contains a copy of a zone with only the original zone's start of authority (SOA) and name server (NS) records-the authoritative servers for the zone and resource records needed to identify the authoritative servers.
A DNS server that is hosting a stub zone is configured with the IP address of the authoritative server from which it loads. When this server receives a query for a name-to-IP resolution in the zone to which the stub zone refers, the server uses the IP address to query the authoritative server and returns a referral to the DNS server listed in the stub zone.
When a DNS server loads a stub zone, it queries the zone's primary servers for SOA records, NS records at the zone's root and host records. To update its records, the stub-DNS server queries the primary servers for the resource records.
You can use stub zones to ensure that the server that is authoritative for a parent zone automatically receives updates about the servers that are authoritative for a child zone. To do this, you add the stub zone to the server that is hosting the parent zone. Stub zones can be either stand-alone or Active Directory-integrated.
Although Microsoft recommends conditional forwarding for making servers aware of other namespaces, you can use stub zones instead.
Conditional forwarding allows control of the name resolution process beyond the default forwarding that occurs between non-root and root name servers.
When you use conditional forwarding, DNS servers can be configured to forward queries to different servers based on the domain name in the query. This eliminates steps in forwarding and reduces network traffic. This is especially useful during a network merger.
Tip: Integrated DNS zones offer fault tolerance through Active Directory.
DNS AD-integrated zones support the secure dynamic update option, which prevents computers and users not listed in the zone's ACL to change zone records.
NSlookup, Event Viewer, System Monitor and DNS logs are the tools included with Windows Server to troubleshoot name resolution problems. NSlookup is the best bet; it's used to manually query name servers for resolution. The DNS log in Event Viewer often holds the key to ongoing or past problems. System Monitor is a "live" tool to find performance problems. DNS logs can indicate management problems such as failed zone transfers.
| Requirements Spelled Out |
|
Exam 70-291 is a core requirement for anyone wanting to be certified as an MCSA or MCSE on Windows Server 2003. Of course, if you're already certified on Windows 2000, you can bypass this one and go straight to 70-292 for the MCSA upgrade or 70-292 and 70-296 for the MCSE upgrade. These exams won't encompass a beta testing period since they'll include questions from other Windows 2003 exams such as this one.
|
Network Security
Next up: Implementing, Managing and Maintaining Network Security. Here you may find questions about security templates, IPSec monitoring and troubleshooting with Event Viewer and Network Monitor.
To apply an IPSec policy in a domain environment, you must understand IPSec policy precedence. Unlike most Group Policy settings, which are cumulative, only one IPSec policy can be assigned to a computer at a time. If there are multiple IPSec policies assigned at different levels, the last one applied is the one that takes effect. IPSec policy uses the same precedence sequence as other Group Policy settings, which is from lowest to highest—local, GPO, site, domain and then OU.
New to Windows 2003, you can use RSoP (Resultant Set of Policy) to analyze IPSec policy assignments. RSoP is a Group Policy snap-in used to view IPSec policy assignments for a computer.
Tip: Using the Event Viewer Application log, you can begin the process of troubleshooting when it comes to IPSec. Read carefully, understand the question and view the exhibit to help make sense of the vague Event Viewer screenshots!
Network Monitor is a preferred tool for viewing real-time captured network data. It can also assist when troubleshooting IPSec. Know the basics of this tool for this exam and make sure to get hands-on experience, which will allow you to retain what you have learned.
| A New Type of Question |
|
Exam 70-291 includes a new question type from Microsoft (see figure). The screen is split into three areas with the question at the top, pick-and-place items on the bottom left and configuration screens on the bottom right.
 |
| A new question type splits the screen in three sections, which will require considerable scrolling action on small displays. (Click image to view larger version.) |
The areas are resizable just like frames of a Web page. This means you may have to do lots of scrolling and careful reading during the exam since many testing centers have smaller monitors that we're accustomed to on our desks. Many of the questions require selecting the correct button or checkbox on a simulated product screenshot.
Microsoft offers a demo of all the new question types at http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp.
|
Routing and Remote Access
Implementing, Managing, and Maintaining Routing and Remote Access was the objective where I found the most questions on the beta exam. You may find questions in this area about ISA Server and wireless LANs.
Windows 2003 RRAS includes support for PPTP and L2TP-based VPNs. However, if you use L2TP-based clients or servers behind a network address translation (NAT) router, both must support IPSec NAT traversal, which is now available. Either way, you need to understand a little about certificate services to deploy secure VPN connections.
Once a certification authority is present on the network, a client computer in a Windows 2003 domain can use auto-enrollment or the Certificates snap-in to install a certificate. Or users can use their Web browsers to connect to the CA server at servername/certsrv. They follow the steps to request a certificate and install it on their computers. Certificates are managed from the CA server, which includes the Certificate Revocation List (CRL). This can be used to revoke certificates for VPN remote access when security is compromised.
Controlling access to RRAS can be done with remote access policies. They include the ability to filter by such things as time of day and profiles to limit connections for a specific type of authentication.
Tip: You can increase the security and manageability of RRAS servers by using Internet Authentication Service (IAS) to centralize VPN or dial-up networking authentication, authorization and accounting.
|
70-291: Windows Server 2003
Network Infrastructure
|
|
Exam Title
Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
Status
Live on August 14, 2003.
Reviewer's Rating
"This exam requires you to show expertise with TCP/IP, DNS, DHCP, RRAS, ISA Server and a few topics not listed within the exam objectives, such as deploying wireless LANs."
Who Should Take It
Core for MCSA and MCSE on Windows Server 2003.
Preparation Guide
http://www.microsoft.com/traincert/
exams/70-291.asp
|
|
|
|
IAS now provides support for the authentication, authorization, and accounting when connections that use the IEEE 802.1X standard for wireless are required.
This new standard adds another layer of security to wireless networks and is also built-in to Windows XP (Wireless Zero Configuration (WZC) is also included, which is a great feature).
Tech Note: The 802.1X standard defines port-based network access control to provide authenticated access for Ethernet networks. This port-based network access control uses the physical characteristics of the switched LAN infrastructure to authenticate devices attached to a LAN port. Access to the port can be denied if the authentication process fails.
The wireless AP used must support configuration as a RADIUS client and Wired Equivalent Privacy (WEP) with 802.1X authentication. The Microsoft 802.1X Authentication Client provides support for computers running many different versions of Windows all the way back to NT. (You can download this supported client from www.microsoft.com/windows2000/server/evaluation/news/bulletins/
8021xclient.asp.)
New GPO settings allow you to pre-configure a user's WLAN network connection type, ad hoc or infrastructure, network name (SSID), WEP settings, access control using 802.1X and authentication methods and settings.
Tip: To support a secure wireless solution with Windows 2003, you need: AD, DNS, DHCP, RADIUS, a PKI and EAP-TLS or PEAP.
Windows 2003 supports the RIP versions 1 and 2 and OSPF routing protocols.
Configuration is accomplished after adding support in the RRAS console. Troubleshooting tools include the traditional ping, tracert and route commands. Understand what each tool offers for this exam and how to decipher the output of each.
Tip: The interfaces container in RRAS is used to add additional interfaces for routing.
ISA Server is a proxy caching and firewall server first released for Windows 2000. The ISA Server SP1 update is required to install it on Windows 2003, and it includes integration for protecting IIS and Exchange servers. There's a specific exam for ISA Server (70-227), but 70-291 includes a few questions with regards to its capabilities.
| 10 Things To Practice |
- Enable RRAS on your server. Practice configuring and managing dialup and VPN connections. Using a null-modem cable and a crossover network cable, you can easily simulate remote-dialup and VPN connections.
- Deploy and distributing Certificate Services computer and user certificates. Install a CA, issue certificates to computers and users and publish them to AD while you're there.
- Install, configure and manage all DNS zone types. You need to practice creating, managing and maintaining AD anyhow—create the DNS zones manually and understand how each is used. Practice troubleshooting problems!
- Understand and configure DNS conditional forwarding. Practice this one in conjunction with #3 and configure one of your servers using conditional forwarding.
- Practice subnetting and understand IP addressing. You'll need to know subnetting for this exam and how to recognize addressing misconfigurations. Haven't you put it off long enough?
- Install and configure IAS with RRAS. This is not a difficult task and you'll be happy you mastered it for this exam.
- Install and configure ISA Server. You can download an evaluation copy for free. Even if you don't need Microsoft's proxy and firewall server on your network, understanding the basics of ISA Server is a must for this exam.
- Create and manage DHCP scopes and options. Creating a scope is an easy task, but do you really understand DHCP servers and how to maintain them? Configure one of your servers as a router and place a server and client on opposite segments to learn about relay agents and DHCP server management.
- Use and understand the capabilities of Network Monitor. This can be boring for some, but after the initial pain, analyzing network packets can be fun! Learn how to use this tool if nothing else.
- Use and understand Event Viewer and System Monitor. Easy enough-but do you really understand how to use these tools to their fullest? Hands-on and help files will get you through.
|
Maintaining a Network Infrastructure
The final objective on 70-291 is Maintaining a Network Infrastructure. Here you'll find topics such as monitoring network traffic, using Network Monitor and System Monitor, troubleshooting Internet connectivity and server services.
Network Monitor is a preferred tool for finding network traffic that is expected or unexpected! Using capture and display filters, you can locate and diagnose TCP/IP, DNS, DHCP, RRAS and WLAN client and server traffic.
IPSec monitoring and logging can be useful when locating VPN connection errors or viewing current security associations.
Tip: SNMP is also a network management tool often used to diagnose and help resolve network traffic issues.
Restarting services such as DNS, DHCP and RRAS can be a "quick fix" in some cases after locating the problem. For more advanced troubleshooting, Event Viewer and System Monitor come to the rescue once again!
| Additional Information |
|
The exam guidelines are available here: www.microsoft.com/traincert/exams/70-291.asp.
Study resources for Windows Server 2003 can be found within the help and documentation of the product. Of course, you'll also want as much hands-on practice as you can obtain. If your company hasn't made the move yet, work with the 180-day evaluation, available here: www.microsoft.com/windowsserver2003/evaluation/trial/default.mspx
There's also a lot of information available online from Microsoft such as at the Windows Server Community: www.microsoft.com/windowsserver2003/community/default.asp
|
Andy Barkl, CCNP, CCDP, CISSP, MCT, MCSE:Security, MCSA:Security, A+, CTT+, i-Net+, Network+, Security+, Server+, CNA, has over 19 years of experience in the IT field. He's the owner of MCT & Associates LLC, a technical training and consulting firm in Phoenix, Arizona. He spends much of his time in the classroom but has also been responsible for many Microsoft Windows 2000, Exchange 2000, and Cisco networking deployments for many clients across Arizona. He's also the online editor for MCPMag.com, TCPMag.com, CertCities.com, and a contributing author and editor for Sybex and Cisco Press. He hosts a multitude of exam preparation chats monthly on MCPmag.com, TCPmag.com and CertCities.com. You can reach him at .
More articles by Andy Barkl:
|
