MCSE 70-291: IT Certification Article

To restore the system state data on a domain controller, you must first start your computer in a special safe mode called directory services restore mode. This allows you to restore the Sysvol directory and Active Directory directory services database. You can only restore system state data on a local computer. You cannot restore the system state data on a remote computer.

However, you can restore backed up system state data to an alternate location—a folder you designate. By restoring to an alternate location, you preserve the file and folder structure of the backed up data—all folders and subfolders appear in the alternate folder you specify.

Note If you restore the system state data and you do not designate an alternate location for the restored data, Backup will erase the system state data that is currently on your computer and replace it with the system state data you are restoring. Also, if you restore the system state data to an alternate location, only the registry files, Sysvol directory files, Cluster database information files (if applicable) and system boot files are restored to the alternate location. The Active Directory database, Certificate Services database (if applicable), and COM+ Class Registration database are not restored if you designate an alternate location.

To nonauthoritatively restore Active Directory, complete the following steps:

1. Restart the computer.

2. During the phase of startup where the operating system is normally selected, press F8.

3. On the Windows Advanced Options Menu, select Directory Services Restore Mode

and press Enter. This ensures that the domain controller is offline and is not con-

nected to the network.

4. At the Please Select The Operating System To Start prompt, select the appropriate

Microsoft Windows Server 2003 operating system and press Enter.

5- Log on to your domain as Administrator.

Note When you restart the computer in directory services restore mode, you must log on ': as an Administrator by using a valid Security Accounts Manager (SAM) account name and password, not the Active Directory Administrator's name and password. This is because Active Directory is offline, and account verification cannot occur. Rather, the SAM accounts database is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.

6. In the Desktop message box that warns you that Windows is running in safe

mode, click OK.

7. Point to Start, point to All Programs, point to Accessories, point to System Tools,

and then select Backup.

8. On the Welcome To The Backup Or Restore Wizard page, click Next.

9. On the Backup Or Restore page, shown previously in Figure 3-8, select Restore

Files And Settings. Click Next.

10. On the What To Restore page, shown in Figure 3-26, expand the media type that contains the data that you want to restore in the Items To Restore box or click Browse. The media can be either tape or file. Expand the appropriate media set until the data that you want to restore is visible. Select the data you want to restore, such as system state, then click Next.

Backup Or Restore Wizard, What To Restore page with system state data selected for restore

11. Ensure that media containing the backup file is in the correct location,

12. On the Completing The Backup Or Restore Wizard page, do one of the following:

a Click Finish to start the restore process. The Backup Or Restore Wizard requests verification for the source of the restore data and then performs the restore. During the restore, the Backup Or Restore Wizard displays status information about the restore.

a Click Advanced to specify advanced restore options. Refer to the next section, "Specifying Advanced Restore Settings for a Nonauthoritative Restore" for details.

13- In the Warning message box that warns you that restoring system state will always overwrite current system state, click OK.

14. The Restore Progress dialog box displays status information about the restore process.

As with the backup process, when the restore is complete, you can choose to view the

report of the restore. The report contains information about the restore, such as the

number of fries that have been restored and the duration of the restore process.

15. Close the report when you have finished viewing it and then click Close to close

the restore operation.

16. When prompted to restart the computer, click Yes.

In the previous lesson, you learned how to use the standard administrative consoles provided when you install Active Directory. You can also create custom consoles that focus on management tasks you specify by using the MMC. This lesson explains how you can create, use, and modify custom consoles.

After this lesson, you will be able to

Create customized MMCs

Modify customized MMCs

Estimated lesson time: 25 minutes

The MMC

The MMC is a tool used to create, save, and open collections of administrative tools, which are called consoles. When you access the Active Directory administrative consoles discussed in Lesson 1, you are accessing the MMC for that tool. The Active Directory Domains And Trusts, Active Directory Sites And Services, and Active Directory Users And Computers administrative tools are each a console. The console does not provide management functions itself, but is the program that hosts management applications called snap-ins. Snap-ins are programs used by administrators to manage network services.

There are two types of MMCs: preconfigured and custom. Preconfigured MMCs contain commonly used snap-ins, and they appear on the Administrative Tools menu. You create custom MMCs to perform a unique set of administrative tasks, such as the MMC for the Active Directory schema discussed in the previous lesson. You can use both preconfigured and custom MMCs for remote administration.

After the domain controller is installed, various Active Directory administrative tools are added to the administrative tools menu. You can verify that Active Directory is functioning properly and that your domain controller is placed properly by opening the Active Directory Users And Computers console and checking for the presence of the domain and domain controller.

To verify domain configuration, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2. On the Active Directory Users And Computers console, verify that your domain is

correctly named by finding it in the console tree.

3. Double-click the domain. Click the Domain Controllers container. Verify that your

domain controller appears and is correctly named by finding it in the details pane.

4. Double-click the server. Verify that all information is correct on the tabs in the

Properties dialog box for the server.

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the ques¬tion again. Answers to the questions can be found in the "Questions and Answers" sec¬tion at the end of the chapter.

1. What are the reasons to create more than one child domain under a dedicated root domain?

2. What is a forest root domain?

3. For best performance and fault tolerance, where should you store the database and log files?

4. What is the function of the shared system volume folder and where is the default storage location of the folder?

5. Which of the following is not a valid reason for creating an additional domain?

a. To meet SAM size limitations

b. To meet required security policy settings, which are linked to domains

c. To meet special administrative requirements, such as legal or privacy concerns

d. To optimize replication traffic

After you've assembled a design team, the next design tools you need to assemble are analyses of your organization's business and technical environments. An analysis of an organization's business environment defines how it organizes and manages its nontechnical resources, such as its products and customers, business structure, business processes, company strategies, and the information technology (IT) management organization. An analysis of an organization's technical environment defines how it organizes and manages its technical resources, such as its network architecture, hardware, software, technical standards, DNS environment (if applicable), and Windows NT environment (if applicable). Most often, your organization will have a business infrastructure or network already in place; it's up to you as an infrastructure designer to call on members of the design team to help you assemble documentation about these environments.

After you complete your infrastructure design, you should be prepared to test it in a test environment. A test environment is a simulation of your production environment that allows you to test parts of your Windows Server 2003 deployment, such as your Active Directory infrastructure design, without risk to your organization's network. To ensure the success of your organization's Windows Server 2003 deployment, your organization should establish a test environment.

By setting up your infrastructure design in a test environment, you can see how the design actually works and determine whether any changes are necessary for improvement. Setting up your design in a test environment is an invaluable tool in the development of an effective design.

Active Directory in the Windows Server 2003 family is a significant enhancement over the flat domain model provided in Windows NT. Active Directory is integrated within the Windows Server 2003 family and offers the following features:

Centralized data store All data in Active Directory resides in a single, distrib¬

uted data repository, allowing users easy access to the information from any loca¬

tion. A single distributed data store requires less administration and duplication

and improves the availability and organization of data.

Scalability Active Directory enables you to scale the directory to meet business

and network requirements through the configuration of domains and trees and the

placement of domain controllers. Active Directory allows millions of objects per

domain and uses indexing technology and advanced replication techniques to

speed performance.

Extensibility The structure of the Active Directory database (the schema) can

be expanded to allow customized types of information.

Manageability In contrast to the flat domain model used in Windows NT, Active

Directory is based on hierarchical organizational structures. These organizational

structures make it easier for you to control administrative privileges and other

security settings, and to make it easier for your users to locate network resources

such as files and printers.

Integration with the Domain Name System (DNS) Active Directory uses

DNS, an Internet standard service that translates easily readable host names to

numeric Internet Protocol (IP) addresses. Although separate and implemented dif¬

ferently for different purposes, Active Directory and DNS have the same hierarchi¬

cal structure. Active Directory clients use DNS to locate domain controllers. When

using the Windows Server 2003 DNS service, primary DNS zones can be stored in

Active Directory, enabling replication to other Active Directory domain controllers.

Client configuration management Active Directory provides new technolo¬

gies for managing client configuration issues, such as user mobility and hard disk

failures, with a minimum of administration and user downtime.

Policy-based administration In Active Directory, policies are used to define

the permitted actions and settings for users and computers across a given site,

domain, or organizational unit. Policy-based management simplifies tasks such

as operating system updates, application installation, user profiles, and desktop-

system lock down.

You can use several well-known security design principles to help you design security for information systems. These principals have their roots in the design of security for business system processes. Although you might not be able to apply every principle to every security design situation, you will find that using these principles will allow you to quickly see where security can be added. These principles should be part of your framework. Use these security design principles to help you design security for information systems:

Throughout this book, these principles will be used to explain specific security designs.

Separation of duties. Whenever possible, separate the functions of critical

operations and assign different parts of the operation to different roles within the

organization. For example, programmers should not have network administration

privileges; those with backup rights shouldn't have restore rights; and auditors

shouldn't be able to modify systems.

Least privilege. Give people only the privileges and access to data that they

absolutely need. For example, users shouldn't be administrators on their desktops.

Delegate administrative authority at the organizational unit (OU) level where possible, not domainwide.

Reducing the attack surface. The fewer avenues of attack that are available,

the less there is to protect and the less chance there is of the network being com?

promised. For example, disable unneeded services, don't install unnecessary ser?

vices or applications, and protect sensitive data with encryption.

Defense in depth. Do not rely on one defense. Use many. If one fails, the other

might prevent the intrusion or at least give you time to deal with it. For example:

Require authentication, use permissions on shares, use permissions on folders, and use permissions on files.

Use a firewall, use gateway filters for e-mail, harden servers and client computers, train administrators, train users, and create an incident response team.

Diversity of mechanism. If every computer is the same and if every defense

mechanism is the same, then they will fail the same way. Use a variety of mechanisms. This is also addressed by providing redundancy and multiple paths. For example, design a classic perimeter network (also known as a DMZ, or demilitarized zone, and a screened subnet) or border network with two firewalls. One firewall should be between the Internet and the border network and the other should be between the border network and the internal network. Do not use the same

firewall at each border. If an intruder successfully penetrates the external firewall,

you do not want her to be able to use the same attack on the internal firewall.

Use of fail-safe defaults. Systems should always be configured to choose the

most secure default action. For example:

Ports on firewalls should always be closed by default. You must open those for which you want to provide access.

No access, such as access to a file, should be possible unless it is explicitly given.

Economy of mechanism. Complexity is the enemy of security. The more com?

plex security is, the more likely it is to fail. When a security strategy is hard to under?

stand, people don't use it or configure it incorrectly. For example, if a smart card

must be in the smart card reader to keep a session going, make the smart card the

employee ID badge. Because an ID badge must be worn at all times, the user's

smart card will always be available to the user. Only one card is therefore necessary

for both approved entrance to the building and free access to building facilities and

the logon for the computer. In addition, when a user leaves his desk, he must

remove the smart card to retrieve the necessary badge for building access. If the

computer is configured to log the user off when the card is removed, another secu?

rity activity is automatically used and the user doesn't have to remember to do it.

Use of open designs. Security through obscurity generally doesn't work if it is

the only security strategy. Security designs should use well-understood algorithms.

Well-known algorithms have been examined by many security experts, and it is

more likely that the flaws have been discovered and corrected. This does not

mean that you should expose the security mechanisms in place for your organization, network, applications, and so on. It means that you should choose well-

known algorithms and products that have been inspected by others and use generally accepted practices and principles. An example of this is to use IPSec for

communication security or Kerberos for authentication, as opposed to using proprietary protocols.

The Microsoft 2003 Server Exam, 70-291, is one of the core exams of the MCSE and MCSA certification tracks. The exam tests a candidate's knowledge of Windows 2003 networking environments and how to implement a successful Windows Server 2003 network in either existing Windows environments or on totally new networks. The exam features simulation and analysis questions that require the candidate to have a thorough working knowledge of the Windows Server 2003 operating system and the way that a Windows 2003 network operates.

Exam Costs: $125 each attempt. You can buy exam vouchers of VUE or Prometric to get a discount. Many online vendors also offer discounts for specific exams; read more in the “vouchers” section to learn more about exam discounts through vouchers.

Exam Location: You can register for the exam at any Pearson VUE and Thompson Prometric center.

Time Allocated: 90 minutes per exam

Total marks: Graded from 100-1000 marks

Minimum Pass Marks: About 700

Number of Questions: 50-60 questions per exam

Exam Code: 70-291

Pre-requisites: None. Microsoft recommends that the typical candidate for this certification have around 6 to 12 months of experience in Windows networking, but this is not a requirement

Exam format: Linear format; computer-based test (CBT)

Validation Period: Expires after around 4-5 years (when new and more relevant Microsoft products are released)

Score Report: Delivered immediate on test completion.

70-291 Exam Pattern

*Multiple Choice with Single answer: Student is required to select a single answer from a range of options (generally 4-5) by clicking on a radio button.

*Multiple Choice with Multiple answer: Student is required to select a range of options. The number of options to select is specified.

*Fill in the Blank: Student is required to type in the missing text to complete the sentence.

*Exhibit-based: Note that some questions will require the student to actively use exhibits presented in order to correctly answer the question

*Simulation: Some questions on the exam will require the user to accurately perform certain actions in a simulated Windows Server environment