MCSE 70-291: IT Certification Article

In a pure Windows network, or in sections of the network where communication is restricted to Windows machines, you should strengthen authentication by selecting stronger authentication protocols. Stronger authentication protocols can be selected by replacing legacy machines with Windows computers that can use the Kerberos protocol. When replacing legacy machines is not possible, and to ensure that when Kerberos is not used, the strongest authentication protocol you should specify is NTLM and possibly NTLMv2. You should also eliminate the LM hash from the account database.

Exam Tip The security option called Network Security: Do Not Store LAN Manager Hash Value on Next Password Change can be used to prevent the storage of the LM hash. Windows 2000 service pack 2 and later and Windows XP computers can accomplish the same task via a registry edit. However, the process is not completed until the next time the user changes his password.

To select NTLM or NTLMv2:

• For Windows 2000 and Windows Server 2003 computers, use the Security Option,

Network Security: LAN Manager authentication level.

• For Windows NT service pack 4 computers, a registry modification must be made.

• Windows 95/98 computers with the Active Directory client installed can also use

NTLM or NTLMv2 if a registry entry is made.

Tip Knowledge Base article 239869 (http://support.microsoft.com/default.aspx?scid= kb;en-us;239869) details how to make NTLM and NTLMv2 changes for improved network authentication and session security.

• Windows Server 2003 provides three types of user accounts: local user accounts,

domain user accounts, and built-in user accounts.

• Local user accounts are stored only in a computer's local security database.

Domain user accounts are stored in Active Directory and replicated to all

domain controllers in a domain. Built-in user accounts are created automatically

by Windows Server 2003 for the purpose of performing administrative tasks or to

gain access to network resources.

• The user account naming convention you adopt establishes how users are identified in the domain. A consistent user account naming convention helps you and

your users remember user logon names and locate them in lists.

• To protect access to the domain or a computer, every user account should have a

strong password. A strong password is a password that provides an effective

defense against unauthorized access to a resource. A strong password is at least

seven characters long, does not contain all or part of the users account name, and

contains at least three of the four following categories of characters: uppercase

characters, lowercase characters, base 10 digits, and symbols found on the keyboard

• A smart card is a credit card-sized device that is used with a PIN number to enable

certificate-based authentication and single sign-on to the enterprise. Smart cards

securely store certificates, public and private keys, passwords, and other types of

personal information. Deploying and maintaining a smart card program requires

additional overhead, including the configuration of the 70-291 exam Services, smart card reader devices, and the smart cards themselves.

You can use the following tools to create, delete, or manage application directory partitions:

• Application-specific tools from the application vendor

• Ntdsutil command-line tool

• LDAP

• Active Directory Service Interfaces (ADSI)

This lesson provides information about using Ntdsutil to create and manage application directory partitions. To manage application directoiy partitions, you must be able to complete the following tasks:

• Create or delete an application directory partition.

• Add or remove an application directory partition replica.

• Display application directory partition information.

• Set a notification delay.

• Prepare a cross-reference object.

• Set an application directory partition reference domain.

To perform these tasks, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority.

To perform these tasks, you use the domain management command within the Ntdsutil command. To open the Ntdsutil domain management command:

1. Click Start, and then click Command Prompt.

2. At the command prompt, type ntdsutil.

3. At the Ntdsutil command prompt, type domain management.

4. At the domain management command prompt, type connection.

5. At the connection command prompt, type connect to server ServerName,

where ServerName is the DNS name of the domain controller to which you want to connect.

6. At the connection command prompt, type quit.

When you create an application directory partition, you are creating the first instance of this partition. When you delete an application directory partition, you are removing all replicas of that partition from your forest. The deletion process must replicate to all domain controllers that contain a replica of the application directory partition before the deletion process is complete. When an application directory partition is deleted, any data that is contained in it is lost. To create or delete an application directory partition:

1. Type the appropriate commands to invoke the ntdsutil domain management com¬

mand.

2. At the domain management command prompt, do one of the following:

a To create an application directory partition, type:

create nc ApplicationDirectoryPartition DomainControUer, where Appli-cationDirectoryPartition is the distinguished name of the application directory partition you want to create, and DomainControUer is the DNS name of the domain controller on which you want to create the application directory par¬tition. Type null to create the application directory partition on the domain controller to which you are currently connected.

a To delete an application directory partition, type:

delete nc ApplicationDirectoryPartition, where ApplicationDirectoryPar-tition is the distinguished name of the application directory partition you want to delete.

Adding or Removing an Application Directory Partition Replica

An application directory partition replica is an instance of a partition on another domain controller, created for redundancy or data access purposes. When you remove an application directory partition replica, any data that is contained in the replica is lost.

To add or remove an application directory partition replica:

1. Type the appropriate commands to invoke the ntdsutil domain management

command.

2. At the domain management command prompt, do one of the following:

a To add an application directory partition replica, type:

add nc ApplicationDirectoryPartition DomainControUer, where Appli¬cationDirectoryPartition is the distinguished name of the application directory partition replica that you want to add, and DomainControUer is the DNS name of the domain controller on which you want to create the application directory partition replica. Type null to create the application directory parti¬tion replica on the domain controller to which you are currently connected.

To remove an application directory partition replica, type:

remove nc AppticationDirectoryPartition DomainControUer, where ApplicationDirectoryPartition is the distinguished name of the application directory partition replica that you want to delete, and DomainControUer is the DNS name of the domain controller on which you want to remove the application directory partition replica. Type null to create the application directory partition replica on the domain controller to which you are currently connected.

Syngress Study Guides guarantee comprehensive coverage of all exam objectives. There are no longer any short cuts or gimmicks that allow candidates to pass Microsoft's new, more rigorous exams. The days of cramming to become a "paper MCSE" are over; candidates must have a full grasp of all core concepts and plenty of hands-on experience to become certified. This book pres complete coverage of Microsoft 70-291 Exam and features one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation and remediation, this study guide & DVD training system gives students 100% coverage of official Microsoft exam objectives plus realistic test prep. The System package consists of:
1) STUDY GUIDE. 800 pages of coverage explicitly organized in the identical structure of Microsoft's exam objectives. Sections are designed to "standalone", allowing readers to focus on those areas in which they are weakest and skim topics they may have already mastered.
2) DVD: A full hour of instructor-led training, complete with on-screen configurations and networking schematics, demystifying the toughest exam topics.
3) ONLINE PRACTICE EXAMS AND E-BOOK. Most exam candidates indicate that PRACTICE EXAMS are their single most valuable exam prep tool. Buyers of our Study Guides have immediate access to our exam simulations located at WWW.SYNGRESS.COM/SOLUTIONS. Syngress practice exams are highly regarded for rigor or the questions, the extensive explanation of the right AND wrong answers, and the direct hyperlinks from the exams to appropriate sections in the e-book for remediation.

Readers will be fully prepared to pass the exam based on our 100% Certified guarantee.
Readers may save thousands of dollars required to purchase alternative methods of exam preparation.
Because of its breadth of coverage, this book will serve as a post-certification reference for IT professionals.

This is the process:

1. The user enters her logon credentials.

2. The Local Security Authority (LSA) hashes the entered password and then uses it

to encrypt the machine time. A plain-text copy of the same timestamp is packaged

with the encrypted version. This package, called the authenticator, is passed by

the LSA to the Kerberos package on the client.

3. The authenticator is sent to the Kerberos Distribution Center (KDC) or account

database on a domain controller.

4. The KDC compares the plain-text timestamp with its own system time. If the time

difference is not within the Kerberos policy "Maximum tolerance for computer clock

synchronization," the request is dropped. Otherwise, the process continues.

The Kerberos policy is part of the Account Policies of the GPO linked to the domain.

5. The KDC encrypts the plain-text timestamp using the stored password hash of the

user and compares the result to the presented encrypted timestamp.

6. If the results match, the user is authenticated and sent a TGT. The TGT includes

information encrypted using the password it has of the user's computer, and thus

it can be used only by that computer. It also includes authorization information in

the form of a list of SIDs, including the user's SID and the SIDs of the groups she

is a member of.

The problem in obtaining quality 70-291 study guide materials is not that there are too few sources - rather there are so many sources for information, it is increasingly difficult to find an outlet that offers all of the features, products and materials that you need to take and pass your 70-291 exam.

Pass-Guaranteed's 70-291 Practice Test Questions with Explanations are designed with questions, coupled with precise, logical and verified explanations. Pass-Guaranteed's 70-291 practice exam provides you with an examination experience like no other. To take a more authentic exam, you would have to take the exam itself, in an exam center!

Our 70-291 Practice Exam Features:

* Detailed Explanations for all Test Questions
* Exhibits and graphical representations
* Verified Answers Researched by Industry Experts
* Practice Test Questions With Explanations updated on regular basis
* Like actual certification exams, our Practice Tests With Explanations are in multiple-choice format (MCQs).
* Our Question and Answer Explanations are backed by our 100% MONEY BACK GUARANTEE.

Our 70-291 practice exams and study guides are composed by current and active Information Technology experts, who use their experience in preparing you for your future in the IT Industry.

Our exams and questions are constantly being updated. You can check the quality of our practice test updates by visiting our latest news page or signing up to our newsletter for recent updates and new releases to our practice exams. You are not about to purchase a disposable product. 70-291 practice exam updates are supplied free of charge for up to 180 days. Regardless of how soon you decide to take the actual 70-291 examination certification, you will be able to walk into the testing room with confidence using Pass-Guaranteed 70-291 training resources.

Pass-Guaranteed 70-291 practice exam is guaranteed to be 100% braindump free. We value the quality of training you receive through our 70-291 practice exam and will never support 70-291 braindumps, or any 70-291 brain dump site. 70-291 braindump sites cannot compare to the understanding, learning and comprehension you will gain from a non 70-291 braindumps site, based on facts and case studies, like Pass-Guaranteed.

By purchasing our 70-291 practice exam, you will have all that is necessary for completing the 70-291 exam with all 70-291 practice questions that are always up to date. You will receive the highest quality and support with Pass-Guaranteed customer service (live chat) that will fulfill all of your certification needs. Purchase our 70-291 training products today, simply put, Pass-Guaranteed is your key to opening up new doors for a brighter future!

After Windows Server 2003 replicates the new user account information, all of the domain controllers in the domain tree can authenticate the user during the logon process.

Note It can take a few minutes to replicate the domain user account information to all domain controllers. This delay might prevent a user from immediately logging on using the newly created domain user account. By default, replication of directory information within a site occurs every five minutes.

Built-in User Accounts

Windows Server 2003 automatically creates accounts called built-in accounts. Two commonly used built-in accounts are Administrator and Guest.

Use the built-in Administrator account to manage the overall computer and domain configuration for such tasks as creating and modifying user accounts and groups, managing security policies, creating printers, and assigning permissions and rights to user accounts to gain access to resources. This account is assigned the password you specified during Active Directory installation and has permissions to perform all tasks in the domain. The Administrator account cannot be deleted.

Because the Administrator account has full permissions, you must protect it from penetration by intruders. First, you should always rename the Administrator account with a new name that does not connect the account to administrative tasks. Renaming makes it difficult for unauthorized users to break into the Administrator account because they do not know which user account it is. Second, you should always use a long and complex password that cannot be easily cracked for the Administrator account. Third, do not allow too many people to know the administrator password. Finally, if you are the administrator, you should create a separate user account that you use to perform nonadministrative tasks. Log on by using the Administrator account only when you perform administrative tasks. Or, log on with your user account and use the Run As program when you need to perform a few administrative tasks. For information on setting up user accounts for performing nonadministrative tasks and the Run As program, see Chapter 8, "Administering Group Accounts."

The purpose of the built-in Guest account is to provide users who do not have an account in the domain with the ability to log on and gain access to resources. For example, an employee who needs access to resources for a short time can use the Guest account. By default, the Guest account does not require a password (the password can be blank) and is disabled. You should enable the Guest account only in low-security networks and always assign it a password. If you enable the Guest account, always rename it to provide a greater degree of security. Use a name that does not identify it as the Guest account. You can rename and disable the Guest account, but you cannot delete it.

With many online resources for preparing for the 70-291 exam, you will notice when you read the below information that Pass-Guaranteed is your premier source for your 70-291 exam. With our 70-291 practice tests with explanations, no other vendor will be able to compare to Pass-Guaranteed for quality 70-291 study guides.

70-291 Downloadable, Printable Exams (in PDF format):

Our Exam 70-291 Preparation Material provides you everything you will need to take your 70-291 Exam. The 70-291 Exam details are researched and produced by Professional Certification Experts who are constantly using industry experience to produce precise, logical and verified explanations for the answers.

Exam 70-291 Practice Test with Full Explanations Includes:

* Comprehensive Practice Test Questions with Full Explanations
* Detailed Explanations of all the questions
* Practice Test Questions accompanied by exhibits
* Verified Answers Researched by Industry Experts
* Drag and Drop questions as experienced in the Actual Exams
* Practice Test Questions with Explanations updated on regular basis
* Our Practice Test Questions with Explanations are backed by our 100% MONEY BACK GUARANTEE.
* Like actual certification exams, our Practice Tests with Explanations are in multiple-choice (MCQs)

Our 70-291 Exam will provide you with exam questions and explanations with verified answers that reflect the actual exam. These questions and answer explanations provide you with the experience of taking the actual test. Our 70-291 Exam is not just questions and answers. They are your access to high technical expertise and accelerated learning capacity. Our questions have detailed explanations for every answer and thus ensures that you fully understand the questions and the concept behind the questions. Certification Experts, Certified Computer Trainers, Technical Coworker and Comprehensive Language Masters, who have a solid, verified and certified background and high technical expertise, have compiled these detailed explanations. Pass-Guaranteed’s practice tests will make you feel like you are taking an actual exam at a Prometric or VUE center.

We are constantly updating our Exam 70-291. These 70-291 Exam updates are supplied free of charge to Pass-Guaranteed customers- hereby becoming an investment rather than a disposable product. Our clients receive the most reliable and up-to-date information when they decide to take the 70-291 exam. Like actual certification exams our 70-291 Exam is in multiple-choice format (MCQs). After purchasing our 70-291 practice test with explanations, you are just a step away from being certified. Still not convinced? Try our free samples or choose to buy your 70-291 Practice Exam now!

Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information.

Key Points

Global security groups are most often used to organize users who share similar network access requirements. Domain local security groups are most often used to assign permissions to resources. Universal security groups are most often used to assign permissions to related resources in multiple domains.

You should place user accounts into global groups, create a domain local group for a group of resources to be shared in common, place the global groups into the domain local group, and then assign permissions to the domain local group.

For global security groups, members come from only the local domain, but they can access resources in any domain.

For domain local security groups, members can come from any domain, but they can access resources only in the local domain.

For universal security groups, members can come from any domain in the forest and they can access resources in any domain in the forest.

As your organization grows and changes, you might discover groups that you no longer need. Be sure to delete these groups. Deleting unnecessary groups ensures you maintain security so you do not accidentally assign permissions for accessing resources to groups you no longer need. Each group you create has a unique, nonreusable identifier called the security identifier (SID). Windows Server 2003 uses the SID to identify the group and the permissions assigned to it. When you delete a group, Windows Server 2003 does not use the SID for that group again, even if you create a new group with the same name as the group you deleted. Therefore, you cannot restore access to resources by recreating the group.

When you delete a group, you delete only the group and the permissions and rights associated with it. Deleting a group does not delete the user accounts that are members of the group.

To delete a group, complete the following steps:

1. Right-click the group, and then click Delete.

2. Click Yes in the Active Directory dialog box.

Off the Record You can use a script to determine a user's group memberships. This is helpful if you'd like to make a logon script dependent upon a user's group membership. The script Chkgrps.vbs on the Supplemental CD-ROM in the \70-294\Labs\Chapter08 folder illustrates how you can use Microsoft Visual Basic Scripting Edition (VBScript) to list a user's group memberships. In the Troubleshooting Lab, you'll learn how to use the Ifmember executable to list group membership.