mcsa mcse exam 70-296 study guide phần 1 pdf

9.2 Configuring the User Environment ………330Chapter 7 Managing Group Policy in Windows Introduction ………354Managing Applications ………354Managing Security Policies ………358 10.1 Troubleshoot

Syngress knows what passing the exam means toyou and to your career And we know that youare often financing your own training andcertification; therefore, you need a system that iscomprehensive, affordable, and effective.

Boasting one-of-a-kind integration of text, DVD-qualityinstructor-led training, and Web-based exam simulation, theSyngress Study Guide & DVD Training System guarantees 100% coverage of examobjectives

The Syngress Study Guide & DVD Training System includes:

■ Study Guide with 100% coverage of exam objectives By reading

this study guide and following the corresponding objective list, youcan be sure that you have studied 100% of the exam objectives

■ Instructor-led DVD This DVD provides almost two hours of virtual

classroom instruction

■ Web-based practice exams Just visit us at www.syngress.com/ certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs And

be sure to let us know if there’s anything else we can do to help you get themaximum value from your investment We’re listening

www.syngress.com/certification

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, orproduction (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results

to be obtained from the Work

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work

is sold AS IS and WITHOUT WARRANTY You may have other legal rights, which vary from state

to state

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, orother incidental or consequential damages arising out from the Work or its contents Because somestates do not allow the exclusion or limitation of liability for consequential or incidental damages, theabove limitation may not apply to you

You should always use reasonable care, including backup and other appropriate precautions, whenworking with computers, networks, data, and files

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the AuthorUPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “MissionCritical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of SyngressPublishing, Inc Brands and product names mentioned in this book are trademarks or service marks oftheir respective companies

KEY SERIAL NUMBER

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-932266-57-7

Technical Editors:Tony Piltzecker Cover Designer: Michael Kavish

Page Layout and Art by: Patricia LupienTechnical Reviewer: Jeffery A Martin Copy Editor: Darlene Bordwell

Acquisitions Editor: Catherine A Nolan Indexer: J Edmund Rush

DVD Production: Michael Donovan DVD Presenter:Tony Piltzecker

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, RobertFairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that ourvision remains worldwide in scope.

Will Schmied, the President of Area 51 Partners, Inc and moderator of www.mcseworld.com for sharing his considerable knowledge of Microsoft networking and certification.David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with whichthey receive our books

Kwon Sung June at Acorn Publishing for his support

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all theirhelp and enthusiasm representing our product in Canada

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks atJaguar Book Group for their help with distribution of Syngress books in Canada

David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert ofWoodslane for distributing our books throughout Australia, New Zealand, Papua NewGuinea, Fiji Tonga, Solomon Islands, and the Cook Islands

Winston Lim of Global Publishing for his help and support with distribution of Syngressbooks in the Philippines

A special thanks to Daniel Bendell from Assurance Technology Management for his 24x7care and feeding of the Syngress network Dan manages our network in a highly profes-sional manner and under severe time constraints, but still keeps a good sense of humor

Acknowledgments

Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA,A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with theUniversity of Pennsylvania, where she provides network planning, implemen-tation, and troubleshooting services for various business units and schoolswithin the University Her specialties include Microsoft Windows NT and

2000 design and implementation, troubleshooting and security topics As an

“MCSE Early Achiever” on Windows 2000, Laura, was one of the first in thecountry to renew her Microsoft credentials under the Windows 2000 certifi-cation structure Laura’s previous experience includes a position as theDirector of Computer Services for the Salvation Army and as the LANadministrator for a medical supply firm She also operates as an independentconsultant for small businesses in the Philadelphia metropolitan area and is aregular contributor to the TechTarget family of websites

Laura has previously contributed to the Syngress best-seller Configuring Symantec Antivirus, Corporate Edition (ISBN: 1-931836-81-7) She has also

contributed to several other exam guides in the Syngress Windows 2003MCSE/MCSA DVD Guide and Training System series as a DVD presenter,contributing author and technical reviewer Laura holds a bachelor’s degreefrom the University of Pennsylvania and is a member of the Network ofWomen in Computer Technology, the Information Systems SecurityAssociation, and InfraGard, a cooperative undertaking between the U.S.Government other participants dedicated to increasing the security of UnitedStates critical infrastructures

Brian Barber(MCSE/W2K, MCSA/W2K, MCSE/NT 4, MCP+I,MCNE, CNE-5, CNE-4, CNA-3, CNA-GW) is a Senior Consultant withSierra Systems Consultants Inc in Ottawa, Canada who specializes in multi-platform infrastructure and application architecture His focus is on Web-based electronic service delivery through directory services and messaging,and on IT service management In over 10 years of experience in IT, he hasheld numerous positions, including Senior Technical Analyst with MetLifeand Senior Technical Coordinator with LGS Group Inc (now a part of IBMGlobal Services) Brian has contributed to the other following Syngress

Contributors

vi

Products, including Configuring and Troubleshooting Windows XP Professional

(ISBN: 1-928994-80-6) He would like to thank Glen Donegan at MicrosoftCanada for providing the software he needed and also his family for all oftheir patience, love, and support

Melissa Craft(CCNA, MCNE, MCSE, Network+, 3, 4,

CNE-GW, CNE-5, CCA) is the Vice President and CIO for Dane Holdings, Inc., afinancial services corporation in Phoenix, AZ, where she manages Web devel-opment, and the LAN and WAN for the company During her career, Melissahas focused her expertise on developing enterprise-wide technology solu-tions and methodologies focused on client organizations.These technologysolutions touch every part of a system’s lifecycle, from assessing the need,determining the return on investment, network design, testing, and imple-mentation to operational management and strategic planning

In 1997, Melissa began writing magazine articles on networking and theinformation technology industry In 1998, Syngress hired Melissa to con-tribute to an MCSE certification guide Since then, Melissa has continued towrite about various technology and certification subjects She is the author

of the best-selling Configuring Windows 2000 Active Directory (Syngress Publishing, ISBN: 1-928994-60-1), and Configuring Citrix MetaFrame for Windows 2000 Terminal Services (Syngress, ISBN: 1-928944-18-0).

Melissa holds a bachelor’s degree from the University of Michigan and is

a member of the IEEE, the Society of Women Engineers, and AmericanMENSA, Ltd Melissa currently resides in Glendale, AZ with her family, Dan,Justine, and Taylor

Norris L Johnson, Jr.(MCSA, MCSE, CTT+, A+, Linux+, Network +,Security+, CCNA) is a technology trainer and owner of a consulting com-pany in the Seattle-Tacoma area His consultancies have included deploy-ments and security planning for local firms and public agencies, as well asproviding services to other local computer firms in need of problem solvingand solutions for their clients He specializes in Windows NT 4.0,Windows

2000, and Windows XP issues, providing consultation and implementation

for networks, security planning and services In addition to consulting work,Norris provides technical training for clients and teaches for area communityand technical colleges He is co-author of many Syngress publications,

including the best selling Security+ DVD Training & Study Guide (ISBN: 931836-72-8), SSCP Study Guide and DVD Training System (ISBN: 1- 931836-80-9), Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second Edition (ISBN: 1- 928994-70-9) Norris has also performed technical edits and reviews on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1) Norris holds a bach-

1-elor’s degree from Washington State University He is deeply appreciative ofthe support of his wife, Cindy, and three sons in helping to maintain hisfocus and efforts toward computer training and education

Tony Piltzecker (CISSP, MCSE, CCNA, Check Point CCSA, Citrix

CCA), author of the CCSA Exam Cram, is the IT Operations Manager for

SynQor, Inc., where he is responsible for the network design and support formultiple offices worldwide.Tony’s specialties include network security design,implementation, and testing.Tony’s background includes positions as a SeniorNetworking Consultant with Integrated Information Systems and a SeniorEngineer with Private Networks, Inc.Tony holds a bachelor’s degree inBusiness Administration, and is a member of ISSA.Tony currently resides inLeominster, MA with his wife, Melanie, and his daughter, Kaitlyn

Technical Editor, Contributor, and DVD Presenter

Jeffery A Martin(MCSE, MCDBA, MCT, MCP+I, MCNE, CNI, CCNP,CCI, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM)has been working with computers and computer networks for over 15 years.Jeffery spends most of his time managing several companies that he owns andconsulting for large multinational media companies He also enjoys working

as a technical instructor and training others in the use of technology

Technical Reviewer

Exam Objective Map

Objective

1 Planning & Implementing Server Roles and

Server Security.

1.1 Configure security for servers that are assigned 8

specific roles

1.2 Plan Security for Servers that are assigned 8

specific roles Roles might include domain controllers, Web servers, and mail servers

1.2.1 Deploy the security configuration for servers 8

that are assigned specific roles

1.2.2 Create custom security templates based on 8

server roles

2 Planning Implementing and Maintaining a

Network Infrastructure.

2.1 Plan a host name resolution strategy 1

2.1.2 Plan zone replication requirements 1

xi

MCSE 70-296 Exam Objectives Map and

Table of Contents

All of Microsoft’s published objectives for the MCSE

70-296 Exam are covered in this book To help you easilyfind the sections that directly support particularobjectives, we’ve listed all of the exam objectivesbelow, and mapped them to the Chapter number

in which they are covered We’ve also assignednumbers to each objective, which we use in thesubsequent Table of Contents and again throughoutthe book to identify objective coverage In somechapters, we’ve made the judgment that it is probablyeasier for the student to cover objectives in a slightly differentsequence than the order of the published Microsoft objectives By reading thisstudy guide and following the corresponding objective list, you can be sure thatyou have studied 100% of Microsoft’s MCSE 70-296 Exam objectives

Objective

2.1.5 Examine the interoperability for DNS with third- 1

party DNS solutions

3 Planning, Implementing, and Maintaining

Server Availability.

3.1 Plan services for high availability

3.1.1 Plan a high availability solution that uses 11

clustering services

3.1.2 Plan a high availability solution that uses 11

Network Load Balancing

3.2.1 Identify appropriate backup types Methods 11

include full, incremental, and differential

3.2.2 Plan a backup strategy that uses volume 11

shadow copy

3.2.3 Plan system recovery that uses Automated 11

System Recovery (ASR)

4 Planning and Maintaining Network Security

4.1 Plan secure network administration methods 10

4.1.1 Create a plan to offer Remote Assistance to 10

client computers

4.1.2 Plan for remote administration by using 10

Terminal Services

4.3.1 Secure data transmission between client 8

computers to meet security requirements

4.3.2 Secure data transmission by using IPSec 8

5 Implementing PKI in a Windows 2003

Network

5.1 Configure Active Directory directory services 4

for certificate publication

5.2 Plan a public key infrastructure (PKI) that uses 4

Certificate Services

Objective

5.2.1 Identify the appropriate type of certificate 4

authority to support certificate issuance requirements

5.2.2 Plan the enrollment and distribution of 4

5.3.2 Plan a change and configuration management 4

for security

5.4 Plan a security update infrastructure Tools 4

might include Microsoft Baseline Security Analyzer and Microsoft Software Update Services

6 Planning and Implementing an Active 2

Directory Infrastructure.

6.1 Plan a strategy for placing global catalog

servers

6.1.1 Evaluate network traffic considerations 2

when placing global catalog servers

6.1.2 Evaluate the need to enable universal group 2

caching

6.2 Implement an Active Directory directory service 2

forest and domain structure

6.2.3 Create and configure Application Data 2

Partitions

6.2.4 Install and configure an Active Directory 2

domain controller

6.2.5 Set an Active Directory forest and domain 2

functional level based on requirements

6.2.6 Establish trust relationships Types of trust 2

relationships might include external trusts, shortcut trusts, and cross-forest trusts.”

Objective

7 Managing and Maintaining an Active Directory Infrastructure.

7.1 Manage an Active Directory forest and 3

domain structure

7.2 Restore Active Directory directory services 3

7.2.1 Perform an authoritative restore operation 3

7.2.2 Perform a nonauthoritative restore operation 3

8 Planning and Implementing User, Computer,

and Group Strategies.

8.1.1 Plan a smart card authentication strategy 5

8.1.2 Create a password policy for domain users 5

9 Planning and Implementing Group Policy.

9.1.1 Plan a Group Policy Strategy by using Resultant 6

Set of Policy (RSoP) Planning mode

9.1.2 Plan a strategy for configuring the user 6

environment by using Group Policy

9.1.3 Plan a strategy for configuring the computer 6

environment by using Group Policy9.2 Configure the user environment by Using 6

Group Policy

9.2.1 Distribute software by using Group Policy 6

9.2.2 Automatically enroll user certificated by using 6

Group Policy

9.2.3 Redirect folders by using Group Policy 6

9.2.4 Configure user security settings by using 6

Group Policy

10 Managing and Maintaining Group Policy 7

10.1 Troubleshoot issues related to Group Policy 7

application deployments Tools might include RSoP and the gpresult command

10.2 Troubleshoot the application of Group Policy 7

security settings Tools might include RSoP and the gpresult command

xv

Chapter 1 Implementing DNS

Introduction ………2

Reviewing the Domain Name System ………3

A Brief History of DNS ………3

DNS Namespaces ………3

The DNS Structure ………4

DNS in Windows Operating Systems ………5

New Features in Windows Server 2003 DNS ………6

Conditional Forwarders ………6

Stub Zones ………6

Active Directory Zone Replication ………6

Enhanced Security ………7

Enhanced Round Robin ………7

Enhanced Logging ………7

DNSSEC ………7

EDNS0 ………8

Resource Registration Restriction ………8

2.1/2.1.1 Planning a DNS Namespace 8 2.1.1 Resolution Strategies ………9

Choosing Your First DNS Domain Name ………10

Internal Domains versus Internet Domains ………11

Naming Standards ………12

DNS Namespace and Active Directory Integration ………17

How DNS Integrates with Active Directory ………18

Benefits of Integration ………19

2.1.2/2.1.5 Zone Replication ………20

Transfer Types ………23

2.1.5 Non-Active Directory Integrated Zones ………25

Configuring Stub Zones ………30

2.1.5 Using Windows DNS with Third-Party DNS Solutions ……31

Active Directory Integrated Zones ………32

Zone Storage ………33

Scopes ………36

2.1.3 DNS Forwarding ………38

Understanding Forwarders ………39

Forwarder Behavior ………39

Conditional Forwarders ………41

Forward-Only Servers ………43

Directing Queries Through Forwarders ………44

2.1.4 DNS Security ………45

DNS Security Guidelines ………45

Levels of DNS Security ………47

Low-Level Security ………48

Medium-Level Security ………48

High-Level Security ………49

Understanding and Mitigating DNS Threats ………49

DNS Spoofing ………50

Denial of Service ………50

DNS Footprinting ………52

Using Secure Updates ………52

The DNS Security Extensions Protocol ………54

Using DNSSEC ………56

Summary of Exam Objectives ………58

Exam Objectives Fast Track ………58

Exam Objectives Frequently Asked Questions ………60

Self Test ………62

Self Test Quick Answer Key ………67

Chapter 2 Planning and Implementing an Active Directory Infrastructure 69 Introduction ………70

6.2/6.2.1/ Designing Active Directory ………70 6.2.2

Evaluating Your Environment ………70

Creating a Checklist ………76

Expect the Unexpected ………78

6.2/6.2.1/ Creating an Active Directory Hierarchy ………78

6.2.2 Before You Start ………80

6.2.1 Forest Root ………81

6.2.2 Child Domains ………83

Domain Trees ………84

6.2.3/6.2.4/Configuring Active Directory ………85

6.2.5/6.2.6 6.2.3 Application Directory Partitions ………85

Managing Partitions ………87

Replication ………87

6.2.4 Domain Controllers ………88

Establishing Trusts ………94

6.2.6 Types of Trusts ………94

Evaluating Connectivity ………98

Setting Functionality ………98

6.2.5 Forest Functional Levels ………98

Domain Functional Levels ………100

6.1/6.1.1/ Global Catalog Servers ………101

6.1.2 6.1 Planning a Global Catalog Implementation ………102

When to Use a Global Catalog ………104

6.1.1 Creating a Global Catalog Server ………105

Universal Group Membership Caching ………106

6.1.2 When to Use Universal Group Membership Caching ……106

Configuring Universal Group Membership Caching ………107

Adding Attributes to Customize the Global Catalog …………108

Effects on Replication ………109

Security Considerations ………109

Summary of Exam Objectives ………110

Exam Objectives Fast Track ………111

Exam Objectives Frequently Asked Questions ………112

Self Test ………114

Self Test Quick Answer Key ………119

Chapter 3 Managing and Maintaining an Active

Introduction ………122

Choosing a Management Method ………122

Using a Graphical User Interface ………122

Using the Command-line ………124

Defining Commands ………124

Using Scripting ………125

7.1/7.1.1/Managing Forests and Domains ………126

7.1.2/7.1.3 7.1 Managing Domains ………126

Creating a New Child Domain ………127

Managing a Different Domain ………131

Removing a Domain ………132

Deleting Extinct Domain Metadata ………133

Raising the Domain Functional Level ………134

Managing Organizational Units ………136

Assigning, Changing, or Removing Permissions on Active Directory Objects or Attributes ………138

Managing Domain Controllers ………139

7.1/7.1.2 Managing Forests ………142

Creating a New Domain Tree ………143

Raising the Forest Functional Level ………145

Managing Application Directory Partitions ………147

7.1.2 Managing the Schema ………149

7.1.1 Managing Trusts ………152

Creating a Realm Trust ………154

Managing Forest Trusts ………157

Creating a Shortcut Trust ………158

Creating an External Trust With the Windows Interface …160 Selecting the Scope of Authentication for Users ………161

Verifying a Trust ………162

Removing a Trust ………163

7.1.3 Managing UPN Suffixes ………164

7.2 Restoring Active Directory ………165

7.2.2 Performing a Nonauthoritative Restore ………166

7.2.1 Performing an Authoritative Restore ………170

Understanding NTDSUTIL Restore Options ………171

Performing a Primary Restore ………172

Summary of Exam Objectives ………173

Exam Objectives Fast Track ………173

Exam Objectives Frequently Asked Questions ………175

Self Test ………176

Self Test Quick Answer Key ………182

Chapter 4 Implementing PKI in a Windows Server 2003 Network 183 Introduction ………184

An Overview of Public Key Infrastructure ………184

Understanding Cryptology ………185

Encryption ………185

Benefits of Public Key Infrastructure ………188

Privacy ………189

Authentication ………189

Nonrepudiation ………190

Integrity ………190

Components of Public Key Infrastructure ………190

Digital Certificates ………190

X.509 ………191

Certificate Authorities ………193

Single CA Models ………194

Hierarchical Models ………194

Web-of-Trust Models ………196

Certificate Policy and Practice Statements ………197

Publication Points ………198

Certificate Revocation Lists ………199

Simple CRLs ………199

Delta CRLs ………199

Online Certificate Status Protocol ………200

Certificate Trust Lists ………200

Key Archival and Recovery ………200

Hardware Key Storage versus Software Key Storage ………201

Standards ………202

Windows PKI Components ………204

Microsoft Certificate Services ………204

Active Directory ………205

CryptoAPI ………205

CAPICOM ………205

5.2 Planning the Windows Server 2003 Public Key Infrastructure ……206

The Certificate Templates MMC Snap-in ………206

Certificate Autoenrollment and Autorenewal for All Subjects …207 Delta CRLs ………207

Role-Based Administration ………207

Key Archival and Recovery ………208

Event Auditing ………208

Qualified Subordination ………208

The Process for Designing a PKI ………208

Defining Certificate Requirements ………209

Creating a Certification Authority Infrastructure …………211

Extending the CA Infrastructure ………211

Configuring Certificates ………212

Creating a Certificate Management Plan ………212

5.2.1 Types of Certificate Authorities ………213

Online versus Offline Certificate Authorities ………213

Root versus Subordinate Certificate Authorities ………213

Enterprise CA versus Standalone CAs ………214

5.2.2 Enrollment and Distribution ………215

Web Enrollment ………215

Autoenrollment ………217

5.2.3 Using Smart Cards ………218

Defining a Business Need ………218

Smart Card Usage ………218

Smart Card Certificate Enrollment ………219

5.1 Configuring Public Key Infrastructure within Active Directory …219 Web Enrollment Support ………223

Creating an Issuer Policy Statement ………225

Managing Certificates ………226

Managing Certificate Templates ………226

Using Autoenrollment ………226

Importing and Exporting Certificates ………230

Revoking Certificates ………231

Configuring Public Key Group Policy ………232

Automatic Certificate Request ………232

Managing Certificate Trust Lists ………233Common Root Certificate Authorities ………233Publishing the CRL ………234Scheduled Publication ………234Manual Publication ………234Backup and Restoring Certificate Services ………234Summary of Exam Objectives ………238Exam Objectives Fast Track ………238Exam Objectives Frequently Asked Questions ………240Self Test ………241Self Test Quick Answer Key ………246

Introduction ………248

Creating an Extensive Defense Model ………249Strong Passwords ………250System Key Utility ………250Defining a Password Policy ………253Applying a Password Policy ………253Modifying a Password Policy ………256Applying an Account Lockout Policy ………256Modifying an Account Lockout Policy ………259Password Reset Disks ………259Creating a Password Reset Disk ………259Resetting a Local Account ………260

8.1 User Authentication ………262

Need for Authentication ………263Single Sign-on ………263Interactive Logon ………264Network Authentication ………264Authentication Types ………265Kerberos ………265Understanding the Kerberos Authentication Process ………266Secure Sockets Layer/Transport Layer Security ………267

NT LAN Manager ………268Digest Authentication ………269Passport Authentication ………270

Internet Authentication Service ………273Using IAS for Dialup and VPN ………275Creating Remote Access Policies ………278Using IAS for Wireless Access ………281Creating a User Authorization Strategy ………282Educating Users ………284

When to Use Smart Cards ………285Implementing Smart Cards ………285PKI and Certificate Authorities ………286Setting Security Permissions ………287Enrollment Stations ………288Issuing Enrollment Agent certificates ………289Requesting an Enrollment Agent Certificate ………290Enrolling Users ………291Installing a Smart Card Reader ………292Issuing Smart Card Certificates ………292Assigning Smart Cards ………294Logon Procedures ………294Revoking Smart Cards ………294Planning for Smart Card Support ………296Summary of Exam Objectives ………297Exam Objectives Fast Track ………297Exam Objectives Frequently Asked Questions ………299Self Test ………300Self Test Quick Answer Key ………307

Chapter 6 Developing and Implementing a Group

Introduction ………310

9.1 Developing a Group Policy Strategy ………310

Group Policy Overview ………311The Planning Process ………316Using RSoP ………318Queries ………324

9.2 Configuring the User Environment ………330

Chapter 7 Managing Group Policy in Windows

Introduction ………354Managing Applications ………354Managing Security Policies ………358

10.1 Troubleshooting Group Policies ………360

Troubleshooting the Group Policy Infrastructure ………361Troubleshooting Software Installation ………363Troubleshooting Policy Inheritance ………364Using RSoP ………365Using RSoP in Logging Mode ………366Using RSoP to Troubleshoot Security Settings ………373Using GPResult.exe ………373Other Troubleshooting Techniques ………375Using the Group Policy Management Console ………377Key Features and Benefits ………379Delegating Control of a GPO via GPMC ………381Using Security Filtering in GPMC ………382Using GPMC as a Troubleshooting Tool ………383Creating a Group Policy Modeling Report ………385Managing Windows 2000 Domains ………386Summary of Exam Objectives ………387Exam Objectives Fast Track ………387Exam Objectives Frequently Asked Questions ………389Self Test ………390Self Test Quick Answer Key ………399

Chapter 8 Securing a Windows Server 2003 Network 401

Introduction ………402Understanding Server Roles ………402File Servers ………403Print Servers ………403Application Servers ………404Mail Servers ………404Terminal Servers ………405Remote Access and VPN Servers ………406Domain Controllers ………407Operations Masters ………407Global Catalog Servers ………408DNS Servers ………408DHCP Servers ………409WINS Servers ………409Streaming Media Servers ………409

1.2.1

Securing File Servers ………424Securing Print Servers ………425Securing Application Servers ………426Web Servers ………427Securing Mail Servers ………429Secure Password Authentication ………432Securing Terminal Servers ………433Securing Remote Access and VPN Servers ………434Securing Domain Controllers ………436Securing DNS Servers ………437Securing DHCP Servers ………438Known Security Issues ………438Securing WINS Servers ………439

Creating Security Templates ………449Best Practices ………449Modifying Existing Templates ………450Applying Templates ………450

4.3.1/4.3/ Securing Data Transmission ………4594.3.1/4.3.2

Need for Network Security ………459Planning for Secure Data Transmission ………459

Overview ………460Deploying IPSec ………460IPSec Management Tools ………461

5.3 Implementing and Maintaining Security ………469

5.4 Updating the Infrastructure ………473

Types of Updates ………473Service Packs ………473Hotfixes ………474Deploying and Managing Updates ………475Analyzing Your Computers ………476Windows Update ………492Windows Update Catalog ………496Software Update Services and Automatic Updates …………499Summary of Exam Objectives ………508Exam Objectives Fast Track ………509Exam Objectives Frequently Asked Questions ………511Self Test ………512Self Test Quick Answer Key ………518

Chapter 9 Planning Security for a Wireless Network 519

Introduction ………520Wireless Concepts ………520Communication in a Wireless Network ………521Radio Frequency Communications ………521Spread-Spectrum Technology ………522How Wireless Works ………523Wireless Network Architecture ………526CSMA/CD and CSMA/CA ………527Wireless Standards ………528Windows Wireless Standards ………529IEEE 802.11b ………530

IEEE 802.11a ………531IEEE 802.11g ………531IEE 802.20 ………532Wireless Vulnerabilities ………532Passive Attacks ………533War Driving to Discover Wireless Networks ………533Sniffing ………535Active Attacks ………535Spoofing and Unauthorized Access ………536Denial of Service and Flooding Attacks ………539Man-in-the-Middle Attacks on Wireless Networks ………540Hijacking and Modifying a Wireless Network ………541Jamming Attacks ………542Fundamentals of Wireless Security ………543Understanding and Using the

Wireless Equivalent Privacy Protocol ………543Creating Privacy with WEP ………545Understanding WEP Vulnerabilities ………548Using IEEE 802.1X Authentication ………549RC4 Vulnerabilities ………550Planning and Configuring Windows

Server 2003 for Wireless Technologies ………550

4.2 Planning and Implementing Your

Wireless Network with Windows Server 2003 ………551Planning the Physical Layout ………552Planning the Network Topology ………553Planning for Network Identification ………553Planning for Wireless Security ………554

4.2 Implementing Wireless Security

on a Windows Server 2003 Network ………555Using Group Policy for Wireless Networks ………555Defining Preferred Networks ………560802.1X Authentication ………563User Identification and Strong Authentication ………565Dynamic Key Derivation ………565Mutual Authentication ………565Per-Packet Authentication ………566Using RSoP ………566

Logging Mode Queries ………567Planning Mode Queries ………567Assigning and Processing Wireless

Network Policies in Group Policy ………568Wireless Network Policy Information

Displayed in the RSoP Snap-in ………568Viewing Wireless Computer Assignments ………573

4.2 Securing a Windows Server 2003 Wireless Network …………574

Using a Separate Subnet for Wireless Networks ………577Securing Virtual Private Networks ………578Using IPSec ………579Implementing Stub Networks for Secure Wireless Networks 579Monitoring Wireless Activity ………580Implementing the Wireless Monitor Snap-in ………580Monitoring Access Point Data ………582Using Wireless Logging for Security ………583Summary of Exam Objectives ………584Exam Objectives Fast Track ………586Exam Objectives Frequently Asked Questions ………588Self Test ………589Self Test Quick Answer Key ………594

Introduction ………596

4.1/4.1.1 Remotely Administering Client Computers ………596

Remote Assistance ………597Configuring the Client ………597Setting Group Policy for Remote Assistance ………598Requesting Help Using Remote Assistance ………604Providing Help Using Remote Assistance ………611Blocking Remote Assistance Requests ………613Securing Remote Assistance ………615Firewalls and Remote Assistance ………619

4.1.2 Terminal Services Remote Administration ………621

New Features in Terminal Services ………621Audio Redirection ………622Group Policy Integration ………622Resolution and Color Enhancements ………623

Remote Desktop for Server Administration ………624Understanding Remote Desktop for Administration …………625Configuring Remote Desktop for Administration ………626Deploying Remote Desktop for Server Administration ………633Using Remote Desktop for Administration ………633Remote Desktop Snap-in ………635Summary of Exam Objectives ………638Exam Objectives Fast Track ………639Exam Objectives Frequently Asked Questions ………640Self Test ………642Self Test Quick Answer Key ………648

Chapter 11 Disaster Recovery Planning and Prevention 649

Introduction ………650

Planning for Disaster Recovery ………651

Startup Options ………653Recovery Console ………658

3.2.2

Establishing a Plan ………664Tape Rotation ………664Offsite Storage ………665

Volume Shadow Copy ………666The Need for Periodic Testing ………671Security Considerations ………671Using Windows Clustering ………672Clustering Technologies ………672Availability and Features ………673

3.1/3.1.1/ Planning a High-Availability Solution ………6743.1.2

Considerations ………675Typical Deployments ………676

Installing a Server Cluster ………676Securing a Server Cluster ………676

Sizing a Load-Balanced Cluster ………677Typical Deployment ………678Installing Network Load Balancing ………679Securing Network Load Balancing ………683Summary of Exam Objectives ………684Exam Objectives Fast Track ………684Exam Objectives Frequently Asked Questions ………686Self Test ………687Self Test Quick Answer Key ………691

What is Exam 70-296?

So you want to be a Microsoft Certified Systems Engineer for Windows Server 2003? Not a bad idea.To stay competitive in today’s competitive IT world, you must not only possess the knowledge necessary to do your job, but you must also be able

to prove to your employer (or potential employer) that you have the abilities and knowledge.The best way to prove this is through certifications If you are reading this book, you have already achieved the status of Microsoft Certified Systems Engineer

on Windows 2000.This is not a bad title to have, but unfortunately (or, fortunately depending on how you look at it) times have to change As Microsoft continues to improve upon its Windows products, you will be required to keep up with this evolving technology.The good news is, the path from MCSE on Windows 2000 to MCSE on Windows Server 2003 is a relatively short one, as you are only required to take two exams for certification.The other good news is that unlike the upgrade path from Windows NT 4.0 to Windows 2000, this isn’t a one-time shot, you are allowed to take this exam as many times as necessary – although we think you’ll have everything you need in this book to pass it the first time Let’s talk a little more about the this exam, and the requirements to sit for the exam.

Requirements for the 70-296 Exam

Exam 70-296, Planning, Implementing, and Maintaining a Microsoft Windows Server 2003

Environment for an MCSE Certified on Windows 2000, is the second exam offered by

Microsoft in the Upgrade Exam for Windows 2000 MCSE series Prior to taking this exam, you must possess a current Windows 2000 MCSE designation, which means you have taken and passed all the exams necessary as stated my Microsoft.

Unfortunately, if you are a Windows NT 4.0 MCSE, you are not allowed to take this

xxxi

Foreword

exam If you are unsure if you meet the requirements to take this exam, more mation is available on the Microsoft MCP Web site at www.microsoft.com/train- cert/mcp/mcse/windows2003/#3.

infor-What Do I Need to Know Before I take this Exam?

As we stated earlier, the MCSE on Windows Server 2003 upgrade exams are only available to those candidates who currently certified an MCSE on Windows 2000 Although Microsoft states that the MCSE for Windows Server 2003 credential is intended for IT professionals that work in medium to large computing environments, even smaller companies still have a need for many of the features and benefits that come with Windows Server 2003 Officially, however, Microsoft states that candidates should have experience implementing and administering a network operating system

in environments that have the following characteristics:

■ 250 to 5,000 or more users

■ Three or more physical locations

■ Three or more domain controllers

■ Network services and resources such as messaging, database, file and print, proxy server, firewall, Internet, intranet, remote access, and client computer management

■ Connectivity requirements such as connecting branch offices and individual users in remote locations to the corporate network and connecting corpo- rate networks to the Internet

In addition, candidates should have experience in the following areas:

■ Implementing and administering a desktop operating system

■ Designing a network infrastructure

Once again, even if you don’t have the experience in an environment that

Microsoft has laid out, it does not mean that you should close this book and pass on upgrading your MCSE status In fact, quite the contrary; once you have read this book, you will not only be able to manage a small network environment, you will be prepared to take on larger environments when the opportunity arises.

www.syngress.com

Path to MCSE 2003

The path to the MCSE for Windows Server 2003 is a short one indeed, when you consider that it requires only two new exams to reach the certification However, you already know that to get to your Windows 2000 MCSE certification was not easy For clarity, lets recap the credentials that were required for the Windows 2000 MCSE and how they translate to the Windows Server 2003 MCSE:

■ Networking An MCSE on Windows 2000 has the option to take Exams 70-292 and 70-296 instead of the four core network exams However, an MCSE on Windows 2000 can choose to take all four core network exams.

■ Client An MCSE on Windows 2000 has already passed Exam 70-210 or 70-270, which also satisfies the client requirement for MCSE on Windows Server 2003; therefore, no action is required.

■ Design The design skills required of an MCSE on Windows Server 2003

do not differ significantly from those required of an MCSE on Windows 2000; therefore, no action is required.

■ Elective Elective exams are required so that candidates prove technical breadth, interoperability skills, or additional technical depth For MCSEs on Windows 2000, the current MCSE credential satisfies the elective require- ment for Windows Server 2003 because it proves the ability to support another version of the platform; therefore, no further action is required Once you have met all of the above requirements, you have completed the path

to your Windows Server 2003 certification If you need more information on the MCSE certification track, you can always visit the Microsoft MCSE Web site at www.microsoft.com/traincert/mcp/mcse/default.asp Not only can you get informa- tion about the 70-296 exam, you can find out more information about the other exams offered to Windows Server 2003 MCSEs.

A Note on Exam 70-292

Before we move, lets take a moment to discuss the other MCSE for Windows Server

2003 upgrade exam Exam 70-292, Managing and Maintaining a Microsoft Windows

Server 2003 Environment for an MCSA Certified on Windows 2000 If you haven’t taken

this exam yet, you’re probably wondering why you need to take an MCSA exam Well, the 70-292 exam covers a direct subset of job tasks that are included in typical

MCSE skills.The skills tested by the MCSA upgrade exam are expected to be part of

an MCSE’s job tasks, and therefore Microsoft requires this exam to be taken as well.

By taking the 70-292 exam, you also become a certified MCSA on Windows 2003.

To those of you who have taken the exam and passed, congratulations on your new certification – you’re half way to completing you MCSE for Windows Server 2003!

Where Do I Take My Test?

MCP exams are administered by two third-party organization,VUE and Prometric.You can register for the exam online or via telephone Currently, MCP exams cost $125 each, but make sure to check with your testing center of choice prior to registering for your exam.There contact information for the two testing organization is as follows:

Thompson-■ VUE www.vue.com, (800) 837-8734 in the United States and Canada See www.vue.com/contact/ms for contact numbers outside of the U.S and Canada.

■ Thompson-Prometric www.2test.com, (800) 755-EXAM (3926) in the U.S and Canada See www.prometric.com/candidates for contact numbers outside of the U.S and Canada.

Exam Day Experience

If you are unfamiliar with the examination process and format, taking your first MCP examcan be quite an experience.You should plan on arriving at your testing center at least 15minutes before your scheduled exam time Remember to bring two forms of identificationwith you, as testing centers are required by the vendor (Microsoft in this case) to verify youridentity

Types of Questions

You should expect to see a variety of question types on this exam, as Microsoft tends to usemultiple question types to further discourage cheating on exams Some types of questionsthat you may encounter include:

■ Multiple Choice This is the standard exam question followed by several answer choices.You will see questions that require only one correct answer and also questions that require two or more correct answers.When multiple

www.syngress.com

answers are required, you will be told this in the question, such as “Choose all correct answers” or “Choose three correct answers.”

■ Hot Area This type of exam question presents a question with an nying image and requires you to click on the image in a specific location to correctly answer the question CompTIA regularly uses this type of question

accompa-on the A+ exams.

■ Active Screen This type of question requires you to configure a Windows dialog box by performing tasks to change one or more elements in the dialog box.

■ Drag-and-Drop This type of exam question requires you to select objects and place them into the answer area as specified in the question.

Exam Experience

The exam itself is delivered via a computer.You will be allowed to use the Windows calculator at all times during the exam, but all other functions of the testing com- puter are locked out during the testing process.The testing center will have some means in place to monitor the testing room, either via video camera or one-way mirror glass, to discourage cheating Before starting the exam, you may be asked to complete one or more short surveys.The time spent completing these surveys is sep- arate from the time you will be allotted to complete the exam itself If you are not taking the exam in English you may be entitled to extra testing time, make sure you talk to the testing center personnel about this issue.You may also be asked to com- plete one or more surveys following the exam Again, any surveys you are asked to complete after the exam will not take away from your exam time.You will know immediately after completion of the exam whether or not you have passed and will receive an official score report from the testing center However, it will take several business days for your online transcript to be updated on Microsoft’s Web site.You can access your online transcript at www.microsoft.com/traincert/mcp/

mcpsecure.asp.

www.syngress.com

About the Study Guide

and DVD Training System

In this book, you’ll find lots of interesting sidebars designed to highlight the most important concepts being presented in the main text.These include the following:

■ Exam Warnings focus on specific elements on which the reader needs to focus in order to pass the exam.

■ Test Day Tips are short tips that will help you in organizing and bering information for the exam.

remem-■ Configuring & Implementing contain background information that goes beyond what you need to know from the exam, providing a deep founda- tion for understanding advanced design, installation, and configuration con- cepts discussed in the text.

■ New & Noteworthy discussions and explanations of features and ments to Windows Server 2003.

enhance-■ Head of the Class discussions are based on the author’s interactions with students in live classrooms and the topics covered here are the ones students have the most problems with.

Each chapter also includes hands-on exercises It is important that you work through these exercises in order to be confident you know how to apply the con- cepts you have just read about.

You will find a number of helpful elements at the end of each chapter For

example, each chapter contains a Summary of Exam Objectives that ties the topics

dis-cussed in that chapter to the published objectives Each chapter also contains an

Exam Objectives Fast Track, which boils all exam objectives down to manageable

sum-maries that are perfect for last minute review The Exam Objectives Frequently Asked

Questions answers those questions that most often arise from readers and students

regarding the topics covered in the chapter Finally, in the Self Test section, you will

find a set of practice questions written in a multiple-choice form that will assist you

in your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed to simulating the variety of question formats you may encounter in the actual exam.You can use the

Self Test Quick Answer Key that follows the Self Test questions to quickly determine

www.syngress.com

what information you need to review again.The Self Test Appendix at the end of the

book provides detailed explanations of both the correct and incorrect answers.

Additional Resources

There are two other important exam preparation tools included with this Study Guide One is the DVD included in the back of this book.The other is the concept review test available from our Web site.

■ Instructor-led training DVD provides you with almost two hours

of virtual classroom instruction. Sit back and watch as an author and trainer reviews all the key exam concepts from the perspective of someone taking the exam for the first time Here, you’ll cut through all of the noise

to prepare you for exactly what to expect when you take the exam for the first time.You will want to watch this DVD just before you head out to the testing center!

■ Web based practice exams Just visit us at www.syngress.com/

certification to access a complete Windows Server 2003 concept multiple choice review.These remediation tools are written to test you on all of the published certification objectives.The exam runs in both “live” and “prac- tice” mode Use “live” mode first to get an accurate gauge of your knowl- edge and skills, and then use practice mode to launch an extensive review of the questions that gave you trouble.

- Anthony Piltzecker Technical Editor

www.syngress.com

Implementing DNS

in a Windows Server

2003 Network

Exam Objectives in this Chapter:

2.1 Plan a host name resolution strategy

2.1.1 Plan a DNS namespace design

2.1.2 Plan zone replication requirements

2.1.3 Plan a forwarding configuration

2.1.4 Plan for DNS security

2.1.5 Examine the interoperability for DNS with third-party

Self Test Quick Answer Key