70-296 Exam Study Notes
Update (Jun '06): Added a small section on securing wireless networks.
About These Notes
While studying for the 70-296 exam, I took pages of notes. Instead of throwing them away, now that I've passed, I've decided to put them online in hopes that they'll help others legitimately pass this difficult exam. Many of the topics and minutiae ended up not being tested on (can't hurt to overstudy), so I trimmed them out. What's left are the areas that you really need to know and study further (for which I've provided dozens of links to point you in the right direction).
My hope is that this page will become one of your better study resources (after your book, of course); however, I strongly recommend reading your book first, if you haven't already. Follow that up by studying all of the notes here and studying all of the pages that I've linked to (very important). That'll go a long way in preparing you for the exam, I would imagine.
I hope that these notes prove helpful to you and good luck on the exam!
General Advice
70-296 isn't quite as difficult to pass as 70-292, but it is no pushover and still is quite challenging compared to the good ol' 2000 exams. Don't underestimate it, since many good administrators have fallen to it.
I used the
Microsoft 70-292/70-296 Training Kit (excellent book, by the way!), but realize that that, alone, is not enough to pass. I suggest getting that book, reading it cover to cover, doing all of the questions on the practice CD, studying all of my notes here and studying all of the websites that I've linked to. That will probably be enough to pass, as long as you have some good 2000/2003 experience under your belt. If you don't have access to Windows Server 2003 while you study, definitely grab a free copy of
Windows Server 2003 Trial Software (fully-functional use for 180 days), as well as
Microsoft Virtual PC 2004 Trial Edition (fully-functional for 45 days) if you don't have a computer to install it on.
I also used the practice exam that comes on CD with the book and
Redmond's 70-296 practice exam. Both are excellent, but
I definitely recommend Redmond's exam. 217 questions (a lot) for only $29 is a good deal, and the topics covered matched to the exam pretty well.
As you may or may not know, 70-296's material is taken from 70-293 and 70-294. Study materials (study guides, practice questions, etc.) for these tests can help you prepare for 70-296. I just recommend, however, that you look at them only once you know the topics to expect on the exam, since not all topics from 70-293 and 70-294 apply to 70-296.
This exam is a fairly difficult one (not quite as tough at 70-292, but no pushover), so don't take this one lightly.
My main pieces of advice are:
- Consider taking your own notes while studying. Writing things down helps the memorization process. Besides, it's possible that a topic that I know well and didn't think to include is one that you may not be so strong in.
- Print these notes out and carry them with you (along with your own notes) on the day of the exam. Go over them on breaks, in the car and, most importantly, immediately before walking into the exam room (leave them outside, of course). For the most part, I've designed them to be succint and memorizable.
- Bring a pen with you and, should you fail the exam, as soon as you leave the testing center, write down (on the back of the printout or paper that you brought with you) everything from the exam that you can remember, especially questions and answers that you weren't sure of. Spend a good 15-30 minutes. You won't recall much even a few hours later, unless you have a better memory than I do. It really, really helps if you made good use of the "Select for Review" checkboxes while taking the test, since it means that all of the questions and answers that you weren't sure of are the freshest things in your mind when you leave the testing center. Use everything that you wrote down as the basis for your re-take studying.
Exam Format
Format: Multiple-choice, drag-and-drop, hotspot, etc.
Questions: 50 (24 in the first section, 26 in the second)
Time Limit: 130 minutes (+20 minutes for comments and reading the pre-exam disclaimers)
Passing score: 700
Resources
Microsoft Second Shot Offer - Microsoft periodically offers FREE exam re-takes. Important: you must sign up with Microsoft before scheduling the exam the
first time! You can't wait until after you've failed. Follow the link to see if the Second Shot offer is currently available. If the URL re-directs you elsewhere, then it's not.
Free (or demo) 70-296 practice exams:
Retail 70-296 practice exams:
Forums and newsgroups that cover 70-296:
Study Notes
A lot of the exam questions will require you to understand which features are available at which functional levels, so understand them well! The first paragraph of each question is even more important now, for this reason, so read all of the questions carefully.
Domain controller renaming requires 2003 domain function level and is done with netdom.exe. Domain renaming requires 2003 forest functional level and is done with rendom.exe.
To raise the forest functional level to 2003, the following must be true:
1) All domain controllers in the forest must be Windows Server 2003
2) All domains in the forest must be at least 2000 Native domain functional level
Forest trusts are Kerberos and transitive; external trusts are neither.
When establishing a forest trust, facilitate name resolution between the two forests using conditional forwarding!
Trusts will often need to be deleted and re-created if any major changes (such as domain renaming) are made after the trust is created.
The Active Directory Migration Tool requires two-way trusts in order to migrate AD between forests.
Global Catalog & FSMO
Place global catalogs in locations with: 1) more than 100 users, 2) an unreliable WAN link to other global catalogs, or 3) application servers that require the global catalog.
In most situations, don't let an infrastructure master also host the global catalog. This will create a problem identifiable by changes in the domain in question not being replicated to global catalogs in other domains. There is, however, at least one exception (that I don't think that you'll be tested on, but, FYI...):
Msmvps.com - Global Catalog vs. Infrastructure MasterUniversal group membership caching produces faster logon times and less authentication-related WAN traffic.
Enable Universal group membership caching on sites with fewer than 100 users. As noted earlier, sites with more than 100 users should get a real global catalog server, instead.
Group Policy
Since the Group Policy Management Console is one of the topics that Microsoft is keen to test on, if the GPMC is one of the possible answers, it's a good bet that it's the correct answer.
Resultant Set of Policies (RSoP) can be run in either logging mode (same as gpresult) or planning mode, which can be used to test proposed changes before they're applied.
Assigning software to a computer installs the software automatically at the next reboot.
Assigning software to a user modifies the registry and puts icons on the desktop. The software is installed on first use.
Publishing software to a user hides it away in Add/Remove Programs and will also install it by opening files with its extension.
WMI filtering provides sub-OU control over which computers a Group Policy will apply to, based on just about any characteristic of the system's hardware or OS (ex. Windows version, amount of RAM, etc.). You don't need to know how to read or write a WMI filter; just know the concept and its usefulness.
Microsoft Documentation - WMI Filtering Using GPMCWMI filtering is ignored by Windows 2000 (on which all policies will run, regardless), since it is a feature new to XP/2003. This can be used to your advantage to apply certain policies only to Windows 2000 computers.
Know the key characteristics of the four different Software Restriction Policies rules (hash, certificate, path and internet zones) and when to use each. In particular, know that hash is not to be used with files that change, due to the hash changing.
The Enforcement policy under the Software Restriction Policies node can be configured to exempt local administrators from the restriction rules.
Other
Make sure you know what the
NTDSUtil utility (ntdsutil.exe) is and how versatile it is! Use it to make restored data authoritative, transfer or seize operations master roles, compact or defrag Active Directory, clean up old metadata left by improperly removed domain controllers, and more!
Microsoft Documentation - NTDSUtil (you don't need to know all of that... just the basics)
Understand UPN Suffixes, how to add them and why they can affect your ability to log on from other domains.
Allowed to Authenticate is a new access control (ACL) right to allow users in other domains to access a particular object or service on the computer.
To integrate a BIND DNS server into an AD infrastructure, configure it as a secondary DNS server.
A DNS server that hosts a zone named "." is a root server and, thus, cannot resolve names from the internet. Delete that zone to allow internet name resolution.
Debug logging is a new DNS feature in 2003 that allows monitoring of DNS events on servers. When monitoring notification events, enable debug logging on the server receiving the notifications.
The Notify page (accessible from the Zone Transfers tab) is for notifying secondary zones of updates. It is not used for AD-integrated zones, since AD does its own polling for them.
Know the difference between replicating to the DomainDNSZones and ForestDNSZones partitions.
To integrate a BIND DNS server into an AD infrastructure, configure it as a secondary DNS server.
Article:
Microsoft Documentation - How DNS Works -- A very comprehensive guide on DNS by Microsoft that should, certainly, be able to answer any DNS questions that you may have. Particularly, it's a must-read for those who aren't strong in DNS fundamentals, but advanced users definitely take a look, as well. There's a lot of good information in there.
Backup
The System State on a domain controller must be restored from Directory Services Restore Mode. This mode (accessed by hitting F8 at the boot menu) loads Windows in its entire GUI glory, except without Active Directory. This is very different than the Recovery Console, which simply loads a DOS-like environment.
System State components cannot be backed up or restored individually!
A non-authoritative ("normal") restore restores data and allows replication to bring all data up to date.
An authoritative restore is a Normal restore followed by running Ntdsutil.exe to increment the restored data that should not be overwritten by replication. This is used to roll back changes.
2003 Standard and Web Editions do not support server clusters, but all 2003 editions support Network Load Balancing.
Server clusters share data storage and are for stateful apps such as SQL Server and Exchange Server.
Network Load Balancing uses replicated local data and is for stateless apps such as WWW, FTP and VPN servers.
The service for Network Load Balancing is called Windows Load Balancing Service (WLBS), a name throwback to 2000/NT. Nlb.exe, the command-line tool, is identical to the old Wlbs.exe tool.
Network Load Balancing is easier and cheaper to extend than server clusters (just buy another server and add it to the others).
Pay attention to whether a cluster question says "scale up" (meaning upgrading the current servers) or "scale out" (meaning add more servers).
Single-instance applications (like DHCP) cannot run on more than one server at a time; multiple-instance applications can (usually through partitioning).
A server cluster's quorum is the configuration data for the cluster; the quorum resource is the drive that it is stored on.
Quorum models:
Single-node cluster - a cluster with a single server. The quorum is stored on the server's local disk.
Single-quorum device cluster - a single quorum is stored on one of the shared storage devices.
Majority node set cluster - each node holds a copy of the quorum. Use this model for geographically-dispersed clusters and to avoid the need for a shared storage device.
The majority node set cluster quorum model is new in 2003! From Microsoft: "Using this new quorum mechanism, additional cluster topologies can be built; for example, server clusters with no shared disks. Majority Node Set also makes it easier to build and configure multi-site, geographically dispersed clusters."
Practice using Cluster Administrator. Create a test cluster and know the configuration settings of resources and groups.
Certificate Authorities (CAs) can be one of two types:
Enterprise - Requires Active Directory; supports auto-enrollment; not suitable for outside the enterprise.
Stand-alone - Does not require Active Directory; cannot auto-enroll (admin must manually approve).
Enterprise CAs can issue certificates only to Active Directory clients.
Certificate auto-enrollment requires 2003 domain controllers, an enterprise CA on 2003 and XP clients.
Certificate auto-enrollment is configured as part of the certificate template.
The Certificate Authority console is used to manually approve (enroll) pending certificates.
Certificates can be manually requested from enterprise CAs with the Certificates snap-in and from stand-alone CAs with the Web Enrollment module (requires IIS and ASP).
Sub-ordinate CAs that are children of commercial CAs are the best option for e-commerce use (because web clients will trust the certificate and get no safety warning).
Smart cards require enterprise CAs.
Smart cards can be required for logon by enabling Interactive Logon: Require smart card in a computer GPO or selecting Require smart card for logon on each user account.
Smartcard User template certificates allow users to use smartcards for multiple purposes. Smartcard Logon template certificates allow users to use smart cards solely for logging in. Enrollment Agent template certificates allow users to issue certificates.
Know the purpose of the Cert Publisher group.
IPsec is natively-supported only on 2000, XP and 2003! SMB Signing support goes all the way back to NT4.0 and 98!
Authentication Header (AH) offers authenticity (who are you?), integrity (have you been modified in transit?) and replay protection (are you who I authenticated with?), but not confidentiality (is your data encrypted?), while Encapsulating Security Payload (ESP) offers all of them.
Authentication Header (AH) and Encapsulated Security Payload (ESP) can be used independently of one another or together. Together is more secure.
Transport mode requires the end computers to do the encrypting and decrypting; tunnel mode requires the two routers closest to the computers to do it.
The three default IPsec policies are:
Client (Respond Only) - Use IPsec only if asked by another computer.
Server (Request Security) - Request IPsec but fall back to unsecured if the other computer does not support IPsec.
Secure Server (Require Security) - Require IPsec for all communications.
IPsec policy rules are made of two things: IP filter lists (which traffic to look for) and filter actions (what to do with the traffic).
The best security combination that ESP provides is SHA1 (authenticity and integrity) and 3DES (confidentiality).
Configuring an IPsec filter to be mirrored creates a second filter with opposite source and destination addresses. For example, if the first filter blocks port 25 traffic to this computer from the internet (inbound), its mirror filter will block port 25 traffic from this server to the internet (outbound).
To negotiate IPsec, you must configure your firewalls to allow UDP ports 500 (both ways) for IKE, IP port 50 for ESP and IP port 51 for AH. Additionally, if your firewall is also a NAT server and you will be using NAT Traversal (NAT-T), UDP port 4500 must also be allowed.
Wireless networks can be either infrastructure mode (clients negotiate with access points) or ad-hoc mode (clients negotiate with each other).
Shared key authentication requires WEP to be enabled. When you think of one, think of the other. You don't need to know WPA (WEP's successor) for the exam.
Use 802.1X authentication with EAP-TLS if you do have a PKI (for certificates or smart cards). Particularly, for the exam, think of EAP-TLS when you're asked about smart cards (and vice-versa).
Use 802.1X authentication with PEAP if you don't have a PKI (and, thus, no certificates or smart cards). PEAP requires XP SP1 or 2003.
Shadow Copies requires it to be enabled on the volume (not on folders) and the Previous Versions client application installed on clients.
Know the key security templates
Securews.inf - sends only NTLMv2 responses; requests SMB signing.
Securedc.inf - accepts only NTLM and NTLMv2 responses; requests SMB signing.
Hisecws.inf - sends only NTLMv2 responses; requires SMB signing and encryption for secure channel data.
Hisecdc.inf - accepts only NTLMv2 responses; requires SMB signing and encryption for secure channel data.
Setup Security.inf, DC Security.inf and Basic*.inf are all used only to revert back to the original settings, not to increase security.
Note: *ws.inf templates are for workstations and member servers; *dc.inf templates are for domain controllers only.