1/21/2004 -- Microsoft's 70-296 exam, "Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000," is the second of the two upgrade exams for Windows 2000 MCSEs. You can view my tips for the first exam, 70-292, here.

Unlike the horror 70-240 Windows 2000 MCSE upgrade exam, this test follows the same path established by the MCSA exams. I took this exam last week, and found that while it isn't a pushover, the content is straightforward enough if you have a solid understanding of the subject matter within.

Note that this exam covers some of the same ground as the 70-292 (albeit in more detail this time around), so make sure you have that material covered as well.

Tip #1: Focus on Forest/Domain Functional Levels
Given that most of us will be working with Windows 2003 in networks that will be upgraded from a previous version of Windows server, it is important that we understand the different domain and forest functional levels, and what each of these mean for us.

The supported domain levels are:

• Windows 2000 mixed -- allows for domain controllers running NT 4.0, Windows 2000 or Windows 2003.
• Windows 2000 native -- allows for domain controllers running Windows 2000 or Windows 2003.
• Windows 2003 interim -- only for migrations of domain controllers from NT 4.0 to Windows 2003
• Windows 2003 Server -- when all domain controllers are Windows 2003 only.

The support forest functional levels are:

• Windows 2000 -- the default level, allows interoperability with NT 4.0, Windows 2000 and Windows 2003 domains.
• Windows 2003 interim -- only used when migrating from NT 4.0 to Windows 2003 domain.
• Windows 2003 -- When all domain controllers are running Windows 2003 and at least at Windows 2000 native domain functional level. When a forest is upgraded to this level, all domains are automatically upgraded to Windows 2003 functional level. This upgrade cannot be reversed, and once done only Windows 2003 servers can be added as domain controllers in the forest.

Keep in mind that until your forest is at the Windows 2003 functional level, many of the new cool AD features that relate to forests (domain renaming, forest trusts, improved replication algorithms) are disabled.

You can find out more about this topic in this Microsoft Knowledge Base article here.

Tip #2: Tackle Trusts
There was a time when we when thought that moving to an Active Directory would mean the end of trusts, but, alas, we now have no less that six different types of trusts -- two that are created automatically for us, and four others that require being explicitly setup. Here’s a quick summary of those four trust types:

• External trust -- used to trust NT 4.0 domains.
• Shortcut trust -- used to speed up logon times between domains within an existing forest.
• Realm trust -- used to trust another Kerberos realm (typically this would be a non-Windows environment).
• Forest trust -- used to share resources across forests.

Here is a link to the product documentation that details the different type of trusts available, when to use them and how to create them.

Tip #3: Understand RSoP
One of the coolest additions to Windows 2003 are the new tools to understand how group policies have -- or will be -- applied to a user or computer. Therefore, make sure you have a good understanding with the Resultant Set of Policy (RSoP) tools.

The new RSoP MMC snap-in launches a wizard that can be run in logging mode, when you want investigate the existing policies for an individual user/computer, or in planning mode, when you want to test how a planned policy change may affect them. You can also launch this wizard by right clicking the user or computer in the Active Directory Users and Computers or the Active Directory Sites and Services consoles.

A command line version of this tool is gpresult.exe. There is also a more elementary version of this information available within the Help and Support Center tool (select Support Tasks, Tools, Help and Support Center Tools, Advanced System Information, then select View Group Policies Applied option).

Go here to review a Knowledge Base article that covers this in more detail.

Tip #4: Work with the New Group Policy Management Console
Not part of the product itself, this is a separate download that you can get from here. Also at this location are a number of whitepapers that detail how the tool works. For example, some of the cool things you can do with this are to backup group policies before you update them, or use it to move group policies across domains. Make sure you have a good grasp on how to use this tool.

Tip #5: Universal Group Membership Caching
This is a new option that can make it easier for folks in remote branch offices to logon quickly over a slow network link without requiring a local global catalog server. It is configured at the site level, using the Active Directory Sites and Services snap-in. When enabled, the local domain controller in the site keeps a cached copy of the universal group memberships of users once they have logged on successfully.

Tip #6: Use Gpupdate
A new feature in Windows 2003 is the gpupdate.exe tool, which is used to make group policy updates occur now, rather than waiting up to 90 minutes for this to happen automatically. It replaces the secedit /refreshpolicy command. For more on this tool, go here.

Tip #7: Emergency Management Services
Emergency Management Services is a new feature that allows for out of band server management -- for example, when a server has blue screened, it can be restarted remotely. Alternatively, this allows"headless"servers (those without an attached keyboard, mouse or monitor) to be installed and managed.

Here is a whitepaper that covers this topic in more detail.

Tip #8: Review IPSec
Although there a few new features in Windows 2003 relating to IPSec that you can view here, you would do well to first review your original Windows 2000 MCSE study material, since to my mind these are fairly minor incremental changes.

Tip #9: Review AD Restoration Steps
Although this changed little from Windows 2000, Microsoft expects it candidates for this exam to understand how to restore AD -- from restoring a deleted object to restoring the entire AD database. Go here for a summary of AD backup and restore concepts (yes, I know that link is intended to relate to Windows 2000, but the concepts are the same -- and yes, I know that this is supposed to be a Windows 2003 upgrade exam!).

Tip #10: Understand Clustering and Network Load Balancing
Although these two terms tend to be grouped together, they are very different things and you need to understand the differences. Keep in mind that you can't run both on the server; they are mutually exclusive.

Network Load Balancing (NLB) provides increased availability by grouping together up to 32 servers (all Windows 2003 editions are supported) as a single entity. This is typically used for Web servers that don't have dynamic updated information (so each has an identical version of the same application that they can server to clients). All servers running NLB together share the same IP address on a virtual NIC. The load balancing algorithms on each server listens for other servers that are available in the cluster. Then, when an incoming request is received, a server can determine which other servers are available and where that new requests should be sent.

Server clustering requires Windows 2003 Enterprise Edition or Datacenter Edition and supports a maximum of eight nodes. In this case, the servers in the cluster share disk resources so that they can failover without data loss. Unlike with NLB, special hardware is required so that the servers can physically share access to the same disk storage.

Go here for a Microsoft whitepaper that discusses this in more detail.

Overall, I found this exam to be a great way to get some more depth of knowledge of the product. It's one thing to read some whitepapers, but there’s nothing like the pressure of an upcoming exam to make you really understand a topic! All the best for your exam preparation.