Certification Galore
NT Server Enterprise MCP Self-Study Help

Study Help
NT Server
NT Server Enterprise
Self-Study Books

Preparation Guide
NT Server
NT Server Enterprise

Microsoft Seminars
Links & Practice Tests

Contributors Wanted!

Main NT Page
Main MCSE Page

Back to Certification Galore

Other Web Pages:
Windows 98 Tips & Tricks
Troubleshooting Microsoft Windows

What you need to know | Contributions

Did you just pass a test? Would you like to get paid to write about it? Click here to Find out more!

Exam Specs:

Test Title: Implementing and Supporting Microsoft� Windows NT� Server 4.0 in the Enterprise
Test Number: 70-68
Number of Questions: 51
Required Passing Score: 784/1000
Time Allotted to Take Exam: 90 minutes

What you need to know:

Planning

Know the Microsoft model! There is a difference between what you may do in the real world and how the model works. For instance, in the Microsoft model, all users go into global groups, then global groups go into local groups.

Plan the implementation of a directory services architecture. Considerations include:

bulletSelect the appropriate domain model. Know all four domain models (listed below), and which ones work best in what circumstances. Trust relationships are BIG on this test.

Domain Models:

Workgroup Domain For networks that have 20 or less workstations (users), workgroup domains have very little security. Shares are administered by each user.
Single Domain For networks from 20 - 500 workstations (users), the single domain has one server (PDC) and one backup server (BDC). There are no trust relationships set up, and no ability to establish trust relationships without reinstalling NT. Share and resource management controlled centrally.
Single Master Domain For networks from 500 - 10,000 workstations (users), the single master domain contains all user accounts and trusting domains contain resources (programs, print servers, etc.).
Multiple Master Domain For networks over 10,000 workstations (users), the multiple master is good for Wide Area networks (networks spread out geographically). Accounts and resources are determined by the location of the nearest master domain, and resource servers can be set up with trusts to the different master domains
Complete Trust Domain All servers are set up with complete trusts to all other servers.

        To understand Trusts, think of this: I (Domain A) trust you (Domain B). That means you know my secrets (Domain B has access to Domain A accounts and resources). A two way Trust just means that we trust each other.

bulletSupporting a single logon account. One user, one login.
bulletAllowing users to access resources in different domains

Plan the disk drive configuration for various requirements. Requirements include choosing a fault-tolerance method. Choose a protocol for various situations.

Fault tolerances include:

bulletRAID 0 - Stripe Sets (No Fault Tolerance) fastest option.
bulletRAID 1 - Disk Mirroring (Good Fault Tolerance but slower and more expensive).
bulletRAID 5 - Stripe Sets With Parity (Good Fault Tolerance but must have minimum 3 hard drives and you lose the equivalent of one hard drive's space).

Protocols include:

bulletTCP/IP
bulletTCP/IP with DHCP and WINS
bulletNWLink IPX/SPX Compatible Transport Protocol
bulletData Link Control (DLC)
bulletAppleTalk

Installation and Configuration

Install Windows NT Server to perform various server roles. Server roles include:

bulletPrimary domain controller (PDC): There is only one PDC per domain. The PDC creates and keeps the Service Account Manager (SAM). It sends copies of the SAM to BDC's, and for updates to the SAM. If a PDC goes down, a BDC will handle login validation until the PDC comes back up..
bulletBackup domain controller (BDC): There can be multiple BDC's in a domain. BDC's keep a copy of the SAM, and give the PDC updates. A BDC can be upgraded to a PDC by promoting it in the Server Manager. A BDC will not automatically promote itself.
bulletMember server: Member servers usually hold resources like programs and printer queues. Member servers cannot do domain login validation, and cannot be promoted to BDC's or PDC's without reinstalling NT.

Configure protocols and protocol bindings. Protocols include:

bulletNetBEUI (Very fast, easy to configure, but not routable)
bulletTCP/IP (Routable and very compatible with other systems)
bulletTCP/IP with DHCP and WINS (Great for Internet/Intranet access, and makes admin. easier)
bulletNWLink IPX/SPX Compatible Transport Protocol (To connect to NetWare systems)
bulletDLC (For (old)JetDirect printers, and SNA servers)
bulletAppleTalk (To connect to Apple servers and workstations)

Configure Windows NT Server core services. Services include:

bulletDirectory Replicator (Synchronizes directory structures across multiple servers)
bulletComputer Browser (Maintains a list of all computers located on the physical network)

Configure hard disks to meet various requirements. Requirements include:

bulletProviding redundancy (Fault tolerance)
bulletImproving performance (Study Performance Monitor, learn best places to put boot and system partitions and the best spot (or spots, if configured across hard drives) for the cache)
bulletConfigure printers. Careful on this one! Know the Microsoft names. Tasks include:
bulletAdding and configuring a printer (Where do drivers go? Study about drivers for different Operating Systems, like NT 3.51 vs. NT 4.0)
bulletImplementing a printer pool (Multiple printers using only one queue. How does this work?)
bulletSetting print priorities (Setting groups or individuals for higher priority, setting certain printers for higher priority)

Configure a Windows NT Server computer for various types of client computers. Client computer types include:

bulletWindows NT Workstation: NT Workstations need a computer account and user account on the server.
bulletWindows� 95: Only needs a user account, no computer account needed.
bulletMacintosh�: Services for Macintosh must be installed before any Macintosh clients can be configured.

Managing Resources

Manage user and group accounts. Considerations include:

bulletManaging Windows NT user accounts: Two things need to be known to create a user account; the username and password. To duplicate an account, you need; username, password, and full name.
bulletManaging Windows NT user rights: User rights depend on the type of security implemented. Share level security is usually implemented in workgroups where there is no server. Share level security is placed on resources and has the following default security levels:
No Access User has no access to any files or resources. No Access overrides all other security levels
Read Access User can execute program files, display attributes, and open files. User cannot modify, delete, or add anything.
Change Access User can do everything that Read Access can do, plus user can add, create, modify, delete and change attributes of  files.
Full Control Access All attributes of Read Access and Change Access plus user can take ownership of files and folders. User can change file access rights.
This security level is the default for the Everyone group.

User level security is placed by user. The easiest way to implement User level security is to create users, give no specific security rights, then assign users to groups. Place appropriate security rights on the groups.

bulletManaging Windows NT groups
Default groups are:
Group Name

Local / Global

Description
Account Operators Local Manages user and group accounts. Can reset passwords, add and remove users. Only found on Domain Controllers.
Administrators Local Full rights to the local server.
Backup Operators Local Manages backing up and resoration of the server (PDC,  BDC or member server). Backup Operator can only run backup and restore functions from the local computer. Found on all NT servers.
Domain Admins Global Administrators for the entire domain.
Domain Guests Global Limited access to different areas of the domain.
Domain Users Global Should include every person that needs rights throughout the domain.
Guests Local Limited access to the local server.
Print Operators Local Administration of domain printers.
Replicators Local Performs file and directory replication. Found on all NT servers.
Server Operators Local Administration of local domain servers.
Users Local All users in the local domain.

Local groups are limited to the domain in which they were created, while Global groups can go from domain to domain in a multi-domain environment. The Microsoft model says: Users go into Global  groups, Global groups go into Local groups.

bulletAdministering account policies: Using the System Policy Edtor. Place the default policy as: \WinNT\System32\Repl\Import\Scripts\ntconfig.pol. By default, this path is shared as Netlogon$. This will allow the policy to be sent to all BDC's during replication
bulletAuditing changes to the user account database: Only a member of the Administrators group can enable auditing for User and Group management.

Create and manage policies and profiles for various situations. Policies and profiles include:

bulletLocal user profiles: Are stored on the local machine. They do not follow the user if they move to different machines
bulletRoaming user profiles: Are stored on the Server. The user gets the same profile every time they login to the domain. Roaming profiles can be put into a shared "profiles" directory, or the users home directory. You can change the profiles to Read Only by renaming the file NTUSER.DAT to NTUSER.MAN.
bulletSystem policies: Allow you to add restrictions to users. You can lock down profiles, restrict modifications to users desktops, restrict hardware changes, and apply these restrictions to specific users or groups.

Administer remote servers from various types of client computers. Client computer types include:

bulletWindows 95: Remote Administration Tools for Windows 95 include: User Manager for Domains, Server Manager, Event Viewer, and Explorer extensions which allow management of NTFS partitions. The tools are found on the NT server CD, under \CLIENTS\SRVTOOLS\WIN95.
bulletWindows NT Workstation: has DHCP Manager, System Policy Editor, Remote Access Admin, Remote Boot Manager, Server Manager, User Manager for Domains, WINS Manager and extensions for managing Macintosh. The tools are found on the NT server CD, under \CLIENTS\SRVTOOLS\WINNT. These tools can be loaded on member servers also.

Manage disk resources. Tasks include:

bulletCreating and sharing resources: Creating a share is as easy as right-clicking a resource and choosing "Share As". Remember all subdirectories default to the same share access as the parent directory.
bulletImplementing permissions and security:
bulletEstablishing file auditing

Connectivity

Configure Windows NT Server for interoperability with NetWare servers by using various tools. Tools include:

bulletGateway Service for NetWare: Gateway Service for Netware provides a MS client system to access a Netware server by using the NT Server as a gateway. You need a group on the Netware server called NTGATEWAY. Add user accounts to the NTGATEWAY group of all the NT accounts you need to access the Netware server.
bulletMigration Tool for NetWare: All user accounts and groups are migrated to the NT domain by default. Passwords are not migrated. You have option to set the new user passwords in the domain, though. You can choose: No Password, Password is Username, Password is (a single password for all accounts), and User Must Change Password.
The migration tool can be configured for several options if duplicate user names or group names are found. They are: Log Error (adds to the file ERROR.LOG), Ignore (leaves the user name or group name already on the NT domain), Overwrite, or Add Prefix (makes the user name or group name different from the one already on the Domain).

Install and configure multiprotocol routing to serve various functions. Functions include:

bulletInternet router: Can be installed by doing nothing more than having two nic cards in the server. Once that's done, just enable IP routing in the TCP/IP protocol configuration. It will not exchange RIP (Routing Information Protocol) routing packets unless RIP routing software is installed.
bulletBOOTP/DHCP Relay Agent: Configured in TCP/IP properties.
bulletIPX router: IPX Router is enabled throught NT Services (Control Panel, Networks, Services). After it's enabled, it can IPX packets.

Install and configure Internet Information Server.

You can install IIS during the initial installation of NT or any time after. During installation, you are asked where you want default files for web pages, FTP sites, and Gopher sites. You can also define which ODBC drivers you want. After installation, there are a host of items you can (or may have to) configure.

Install and configure Internet services. Services include:

bulletWorld Wide Web: From the Internet Service Manager, you can install and configure WWW services.  Choose an anonymous login, TCP Port , connection timeout, maximum connections, and logging from there.
bulletDNS: Is used to resolve a Domain host name to an IP address
bulletIntranet: Use IIS to set up an Intranet

Install and configure Remote Access Service (RAS). Configuration options include:

bulletConfiguring RAS communications: RAS uses NetBEUI as the default network protocol. You can also use TCP/IP and IPX/SPX, however. TCP/IP will need to be used if you are using programs that utilize the Windows Sockets (Winsock) interface over the RAS services.
bulletConfiguring RAS protocols: RAS is capable of using the following connection protocols:
SLIP - Has less overhead than PPP, but cannot automatically assign an IP address, and only uses TCP/IP.
PPP - Can automatically assign IP addresses, supports encryption and other protocols besides TCP/IP.
RAS - Used by Windows 3.x and Windows NT 3.x clients.
bulletConfiguring RAS security settings:
Allow any authentication including clear text This will allow RAS to use a number of password authentication protocols including Password Authentication Protocol (PAP) which uses a plain-text password authentication. This option is useful if you support third-party RAS clients.
Require encrypted authentication Supports any authentication used by RAS except PAP.
Require Microsoft encrypted authentication Only makes use of Microsoft's CHAP (Challenge Handshake Authentication Protocol). All Microsoft operating systems use MS-CHAP by default.
Require data encryption Enables the encryption of all data sent to and from the RAS server.

Monitoring and Optimization

Establish a baseline for measuring system performance. Tasks include creating a database of measurement data.

Use Performance Monitor to establish a baseline. At minimum, you should log:

Pages/sec Tracks excessive paging. Should not be over 20. To lover: Add RAM
Available bytes The amount of virtual memory available. If it's less than 4MB, add RAM
Commited bytes The amount of memory in use by applications.
%Processor time The amount of time the processor is in use. Short peaks of 100% are okay, but a steady reading of 80% or over could prompt you to upgrade the processor.
%Disk Time Counter The amount of time the hard disk is in use. A steady reading of 90% could mean time to upgrade the disk or controller, or add a disk or controller.
*Must run DISKPERF -Y to enable disk performance counters

Monitor performance of various functions by using Performance Monitor. Functions include:

bulletProcessor
bulletMemory
bulletDisk
bulletNetwork

Monitor network traffic by using Network Monitor. Tasks include:

bulletCollecting data
bulletPresenting data
bulletFiltering data

Identify performance bottlenecks.

Use Performance Monitor to establish a baseline, then log performance during peak usage over a period of time. For instance, let's say work starts at 8:30. Log performance from 8:30 to 8:40 every two or three days for several weeks. Find other peak usage times, and log them too. Careful, though, the log grows large quickly.

Optimize performance for various results. Results include:

bulletControlling network traffic
bulletControlling server load
The server properties menu allows you to allocate memory dependant on the optimization you want. Options are:
Minimize Memory Used Memory will be allocated for up to 10 network connections.
Balance Default setting, allocates memory for about 64 connections.
Maximize Troughput for File Sharing Good option for a file server. Optimizes for file sharing. Example: You have Access installed on workstations and several users share files located on the server.
Maximize Troughput for Network Applications Good option for an application server. Optimized for large data transfers. Example: You're using SQL server, and many users are accessing data from their workstations.

Troubleshooting

Choose the appropriate course of action to take to resolve installation failures.

Setup switches:

/B Boot files installed to hard drive instead of floppy disks. Takes 4-5MB.
/C Doesn't check for free space when creating boot disks.
/F Don't verify files on boot disks. Speeds up installation, but loses reliability. Only used with WINNT.
/I Tells setup to use a specific setup file (default is DOSNET.INF). You can create your own.
/O Only creates a set of boot floppies. Only used with WINNT.
/OX When installing from CD-ROM or network connection and you want to build a set of boot floppies.
/S Specifies source file location. Must be used when installing from any drive other than current default drive. Multiple locations can speed up installation.
/T Specifies the location of the temp directory.

Choose the appropriate course of action to take to resolve boot failures.

You can create an Emergency Repair disk (if you didn't during setup) by running RDISK.EXE. Use the /S option to back up user accounts and file security.
You must boot using the NT installation disks to use the Emergency Repair disk.
Emergency Repair can inspect the Registry files and restore them to the set on the ERD (important to keep the ERD up to date), inspect the startup environment, verify system files and inspect the boot sector.

Manually create a boot disk by formatting a diskette from the NT system (NOT DOS or Win95) and adding the files BOOT.INI, NTBOOTDD.SYS (for SCSI devices), NTDETECT.COM and NTLDR.

Using VGA startup tells NT to add the /SOS switch to the BOOT.INI file. This will display driver names while they are being loaded. You can do this yourself by adding /SOS as the last line in the [Operating Systems] section of BOOT.INI.

Choose the appropriate course of action to take to resolve configuration errors. Tasks include:

bulletBacking up and restoring the registry (Use the ERD)
bulletEditing the registry

Choose the appropriate course of action to take to resolve printer problems.

"Print Device" is the physical printer. "Printer" is the icon in Control Panel.
"Print Pool" is a setup of two or more identical printers. The print server can be set to print to the first available print device.
"Availability" sets the time frame the printer will accept print jobs.
"Priority" specifies which virtual printer should print to the print device first. The range is from 1 (lowest) to 99 (highest).

Stop and restart spooler service to activate a stalled printer.

You need the IP address and printer name to print to a TCP/IP printer.

DLC needs to be installed to print to (older) HP print servers.

AppleTalk needs to be installed to print to Apple printers.

Each operating system needs it's own print drivers. Different drivers are needed by Win95, Win3.X, NT 3.5X, and NT 4. These drivers can be automatically downloaded by installing them on the print server (except Win 3.X. These have to be installed manually). Win95 will initially automatically download the drivers, but will not check for updated drivers. NT 3 and 4 workstations will automatically download any updated drivers that are on the server.

Choose the appropriate course of action to take to resolve RAS problems.

Choose the appropriate course of action to take to resolve connectivity problems.

Choose the appropriate course of action to take to resolve resource access and permission problems.

Choose the appropriate course of action to take to resolve fault-tolerance failures. Fault-tolerance methods include:

bulletTape backup: (Assuming hard disk failure) Install new hard disk, install NT (if the disk had a boot or system partition on it), and restore from tape.
bulletMirroring: Install new hard disk and run Disk Administrator to break the mirror set (from the Fault Tolerance menu) then re-establish the mirror.
bulletStripe set with parity: Install new hard disk and run Disk Administrator. Choose the Regenerate option. This assumes ONE hard disk went bad. You may have to restore off tape if more than one went bad.

Perform advanced problem resolution. Tasks include:

bulletDiagnosing and interpreting a blue screen: Use VGA Mode at startup, choose Last Known Good Configuration or the ERD.
bulletConfiguring a memory dump: Available from the Startup/Shutdown tab of the System applet. The options are: Write the error even to the System log, send an Administrative alert, write a dump file, automatically reboot.
Memory dump files are written to {winroot}/Memory.dmp. Use DUMPEXAM.EXE to view the file (for non-testing purposes, this file contains mostly hex code and error messages that even most MS technicians are confused over).
bulletUsing the Event Log service: Event logs are created automatically. Use Event Viewer (Start, Programs, Admistrative Tools) to view Event logs.

 

Contributions:

Email Address:
Real Name: Justin West
     Comments: Passed #70-068 the other day. The Exam Cram books are excellent! I used it to refresh me right before the test, big help!
I like the way you laid this out, just like the MS model. Makes it easy to find information.

Copyright � 1998-2000 Intra-Designs except where noted
http://www.windowsgalore.com/cert/