70-290: August 2006 Archives
Microsoft has a slew of certification exams lined up to accompany the release of its Windows Server 2003 operating system. Among the first of these to go to beta - and subsequently to be among the first to go live - is Managing and Maintaining a Microsoft Windows Server 2003 Environment (exam number 70-290). This exam is a nuts-and-bolts look at the operating system at a cursory level. The five main topic areas it focuses upon are:
1. Be ready for record-length questions
In the early days of Microsoft certification, exams asked multiple-choice questions that were fairly straightforward. At no point were they ever as simplistic as those on CompTIA exams, but they were comparable. As the exam numbers incremented, Microsoft started adding headers to the questions: "You are the network administrator for Acme...," etc.
Somewhere down the road, someone at Microsoft misread Bloom's taxonomy and became convinced that question length somehow parallels question difficulty. Since then, there has been no stopping them. In fact, it's easy to come to the mistaken conclusion that question writers contracted by Microsoft get paid by the word.
If you took any of the Windows 2000 exams (particularly 70-216 and 70-219), you know how verbose a simple question can be. You'll be surprised, however, at how much longer the same question has now become. The questions include a lot of superfluous information to determine whether you can figure out how much of it you really need. Although a couple of questions like this are useful, having an entire exam of them wears you out quickly, so you need to plan ahead.
2. Be ready for drag-and-drop (and other new question types)
Multiple-choice remains the primary question type, but the number of drag-and-drop questions are increasing on the exams. On the betas recently given, the number of questions of this type was at 25 percent or more.
Microsoft refers to this type of question as "select-and-place", and to quote: "A select-and-place exam item tests a candidate's ability to synthesize information and assemble a solution to a problem or scenario graphically. This type of exam item can reflect architectural, design, troubleshooting, and component recognition problems more accurately than traditional exam items can because the solution is presented in a form that is more familiar to the computer professional."
Although it's certainly arguable whether a select-and-place question is "more familiar to the computer professional" than a multiple-choice one, there is no arguing the fact that you need to be comfortable with this format. If you can't immediately jump in and start answering the question, time spent contemplating how to answer the question will devour precious minutes that could be spent finding the right answer on another question.
In addition, you'll see more interactive question types, such as Hot Area and Active Screen questions.
3. Be ready for questions on new technologies
No one likes to add nifty features to an operating system that go unnoticed, and one of the best ways to draw attention to them is to quiz you on them. The alphabetical list below covers some new and improved technologies to know. You can find information about these technologies through the use of the operating system, help pages accompanying Windows Server 2003, and Web sites such as those hosted by the support side of Microsoft.
There are several changes between operations in Windows 2000 and Windows Server 2003, some subtler than others. Microsoft expects you to know about these changes. Among those to be aware of:
5. Know the benefits of using Windows 2003
If this list is beginning to sound like a marketing tool, you're starting to understand an important concept: Vendors, and not just Microsoft, want their most trained users - certified administrators - to also serve as evangelists for their products. The best way to guarantee this is to make sure certification holders know all the features and can expound upon them at length.
For that reason, be sure to know Microsoft's top ten benefits of using Windows Server 2003 over any other operating system that might be deployed within the organization.
6. Have a rough idea of licensing pricing
The 70-290 exam doesn't include any questions asking you to specifically figure pricing. Actual numbers never come into play because they date the exam, they do not translate well, and they are a topic for accountants rather than administrators. Nevertheless, Microsoft does want you to know that you need licenses to use the products. If you don't know that, it loses money.
A number of links related to pricing and licensing are posted on Microsoft's site, and I recommend reading through that information to get a good feel for the concept without getting mired down in the numbers.
7. Know that IIS is improved
Internet Information Server (IIS) gets better with each release. The latest version is 6.0, and it includes numerous improvements over 5.0. Although this exam is not IIS specific, it does expect you to have knowledge of the service. You'll find everything you need to know in "What's New in Internet Information Services 6.0."
Last Few Words
A number of certification exams will soon become available for Microsoft Windows Server 2003. Exam 70-290 will be among the first. It will also be among the least difficult because it emphasizes the technology and the changes in the operating system, while others are likely to focus more on planning and deployment.
- Managing and Maintaining Physical and Logical Devices
- Managing Users, Computers, and Groups
- Managing and Maintaining Access to Resources
- Managing and Maintaining a Server Environment
- Managing and Implementing Disaster Recovery
1. Be ready for record-length questions
In the early days of Microsoft certification, exams asked multiple-choice questions that were fairly straightforward. At no point were they ever as simplistic as those on CompTIA exams, but they were comparable. As the exam numbers incremented, Microsoft started adding headers to the questions: "You are the network administrator for Acme...," etc.
Somewhere down the road, someone at Microsoft misread Bloom's taxonomy and became convinced that question length somehow parallels question difficulty. Since then, there has been no stopping them. In fact, it's easy to come to the mistaken conclusion that question writers contracted by Microsoft get paid by the word.
If you took any of the Windows 2000 exams (particularly 70-216 and 70-219), you know how verbose a simple question can be. You'll be surprised, however, at how much longer the same question has now become. The questions include a lot of superfluous information to determine whether you can figure out how much of it you really need. Although a couple of questions like this are useful, having an entire exam of them wears you out quickly, so you need to plan ahead.
2. Be ready for drag-and-drop (and other new question types)
Multiple-choice remains the primary question type, but the number of drag-and-drop questions are increasing on the exams. On the betas recently given, the number of questions of this type was at 25 percent or more.
Microsoft refers to this type of question as "select-and-place", and to quote: "A select-and-place exam item tests a candidate's ability to synthesize information and assemble a solution to a problem or scenario graphically. This type of exam item can reflect architectural, design, troubleshooting, and component recognition problems more accurately than traditional exam items can because the solution is presented in a form that is more familiar to the computer professional."
Although it's certainly arguable whether a select-and-place question is "more familiar to the computer professional" than a multiple-choice one, there is no arguing the fact that you need to be comfortable with this format. If you can't immediately jump in and start answering the question, time spent contemplating how to answer the question will devour precious minutes that could be spent finding the right answer on another question.
In addition, you'll see more interactive question types, such as Hot Area and Active Screen questions.
3. Be ready for questions on new technologies
No one likes to add nifty features to an operating system that go unnoticed, and one of the best ways to draw attention to them is to quiz you on them. The alphabetical list below covers some new and improved technologies to know. You can find information about these technologies through the use of the operating system, help pages accompanying Windows Server 2003, and Web sites such as those hosted by the support side of Microsoft.
- Automated System Recovery (ASR)
- Remote Assistance
- Remote Desktop
- Software Update Services (SUS)
- Emergency Management Services (EMS)
- File Replication Service (FRS)
- Group Policy Management Console (GPMC)
- Open File Backup
- Password Backup and Restore Wizard
- Shadow copying of shared folders
- Virtual disk services
There are several changes between operations in Windows 2000 and Windows Server 2003, some subtler than others. Microsoft expects you to know about these changes. Among those to be aware of:
- You must activate the operating system to use it.
- The default share permissions for Everyone are now Read versus Full Control.
- There are (or will be) four versions of the product available: Web edition, Standard edition, Enterprise edition, and Datacenter edition. Check Microsoft's site for a comparison of the versions.
5. Know the benefits of using Windows 2003
If this list is beginning to sound like a marketing tool, you're starting to understand an important concept: Vendors, and not just Microsoft, want their most trained users - certified administrators - to also serve as evangelists for their products. The best way to guarantee this is to make sure certification holders know all the features and can expound upon them at length.
For that reason, be sure to know Microsoft's top ten benefits of using Windows Server 2003 over any other operating system that might be deployed within the organization.
6. Have a rough idea of licensing pricing
The 70-290 exam doesn't include any questions asking you to specifically figure pricing. Actual numbers never come into play because they date the exam, they do not translate well, and they are a topic for accountants rather than administrators. Nevertheless, Microsoft does want you to know that you need licenses to use the products. If you don't know that, it loses money.
A number of links related to pricing and licensing are posted on Microsoft's site, and I recommend reading through that information to get a good feel for the concept without getting mired down in the numbers.
7. Know that IIS is improved
Internet Information Server (IIS) gets better with each release. The latest version is 6.0, and it includes numerous improvements over 5.0. Although this exam is not IIS specific, it does expect you to have knowledge of the service. You'll find everything you need to know in "What's New in Internet Information Services 6.0."
Last Few Words
A number of certification exams will soon become available for Microsoft Windows Server 2003. Exam 70-290 will be among the first. It will also be among the least difficult because it emphasizes the technology and the changes in the operating system, while others are likely to focus more on planning and deployment.
The main purpose of a group is to simplify administration by allowing permissions to be assigned to a collection of users instead of individual users. A group can contain user accounts, computer accounts, or contacts, as its members. In addition to the previous, a group can also contain other groups, which is referred to as group nesting. Which items a group can contain and where they can be used for, depends on the group type, the group scope and the domain functional level.
Group Types
Windows 2003 Active Directory supports the following two group types:
Group Scopes
A group scope defines from which domain from which members can be added and in which domain, tree, of forest, rights and permissions can be assigned to a group. When you create a new group, it will be a security group with global scope by default. You can modify the group scope if the domain functional level is set to Windows 2000 native or Windows Server 2003. Changing a group scope in Windows 2000 mixed mode domains is not possible.
Windows 2003 Active Directory supports the following three group scopes:
When you assign permissions to all the users in the Sales department, for a shared resource, i.e. Printer1, you should create a domain local group for the sales department, i.e. SalesPrinters, and assign it permissions for Printer1. Then you should group the users into a global group, i.e. Sales, and add the global group to the domain local group. A universal group is particularly useful when the group needs to contain members from multiple domains. Universal groups should be members of domain local groups, and have global groups as their members.
Local vs. Active Directory Groups
The group types and scopes outlined above are pertinent to Windows 2003 servers that are members or domain controllers in an Active Directory domain. They are stored in the Active Directory on domain controllers. However, groups also exist on a local machine level, even if ADS is not in use. You can create local groups on the local computer using the Local Users and Group MMC snap-in and the can be used for assigning permissions on that computer only.
Default Groups
Windows 2003 creates default groups in the Builtin container and the Users container. The following lists show the groups created in a Windows 2003 domain by default (this may vary per configuration and on the installed Windows components). The first list shows the groups in the Builtin container. These groups are all domain local groups and cannot be moved to another container or OU.
The following default groups reside in the Users container in the Active Directory. The Users container contains domain local, global, and universal scope default groups. These groups can be moved to another OU if desired.
Groups are created by using the Active Directory Users and Computers MMC snap-in. To create a new group, right-click the domain or OU in which you want to create the user, select New, and then click Group. The New Object - Group dialog box, displayed below, will open. You will need to provide a name and you can choose the group scope and group type.
When you open the properties sheet of an existing group, you can associate a description and an e-mail address with the group and change the scope and type on the General tab. The Members tab of the group's properties allows you to add members to this group, and the Member Of tab allows you to join this group to other groups. On the Managed By tab, you can specify a person that is responsible for this group, and specify whether this person should be able to add and remove members to and from this group.
You can move a group to another container, from the Users container to a departmental OU for example, by right-clicking the group and selecting Move from the context menu. With the exception of universal groups, groups can be moved within a domain only. When you move a universal group from one domain to another, you will have to reassign permissions and rights as they will be lost in the process. The member settings of the universal group will be retained.
Find the group membership for a user
On a large Active Directory with many group it can be hard to keep track of which groups a user belongs to. The Member Of tab of a user's properties, displays a list of groups the user is a member of. It does not show groups that reside in trusted domains but the user is a member of. For a more complete list of groups a user belongs too, you can use the Dsget.exe command line utility. The syntax for displaying group membership is:
The UserDN parameter is the user's distinguished name, for example:
Without the -expand option, only the groups the user is joined to directly are displayed. With this option, each group is expanded to determine membership through nested groups. For example, when a user is a member of the Domain Users default group, it is also a member of the Users built-in group, because the Domain Users group is a member of the Users group.
Automated Group Management
Instead of creating and modifying groups manually, you can also automate group management using command-line utilities. Csvde.exe is one of the tools that can be used to perform batch changes to the Active Directory. It can be used to import and export data from and to a file in comma separated value (CSV) format. Ldifde.exe is a more advanced tool that allows you to create, modify, and delete active directory objects. You can use Ldifde to extend the schema, and export and import Active Directory user and group data to or from other directories.
Group Types
Windows 2003 Active Directory supports the following two group types:
- Security Groups - Used for assigning permissions for directory objects and resources such as shared folders and printers. Security groups are also used for assigning right to users, for example by using Group Policies.
- Distribution Groups - Used for creating e-mail distribution lists (ie. for MS Exchange server). It allows a user to send e-mail to all the members by using a single address.
Group Scopes
A group scope defines from which domain from which members can be added and in which domain, tree, of forest, rights and permissions can be assigned to a group. When you create a new group, it will be a security group with global scope by default. You can modify the group scope if the domain functional level is set to Windows 2000 native or Windows Server 2003. Changing a group scope in Windows 2000 mixed mode domains is not possible.
Windows 2003 Active Directory supports the following three group scopes:
- Domain Local - Used for assigning permissions within the local domain only. A domain local group can contain user accounts and global and universal groups with from any domain, and other domain local groups from the same domain. A domain local group can be changed to a universal group only if it does not have other domain local groups as its members.
- Global - Used for assigning permissions throughout the entire forest. A global group can only contain user accounts and global groups from the same domain the global group is in. If the domain is running in Windows 2000 Mixed mode, you can add only user accounts to a global group. A global group can be changed to a universal group if it is not a member of another global group.
- Universal - Used for assigning permissions throughout the entire forest. A universal group can contain user accounts, computer accounts, and global and universal groups from any domain in the forest. Security type universal groups can be created only when the domain functional level is set to Windows 2000 native or Windows Server 2003. Opposite to domain local and global groups, universal groups are replicated to every global catalog in the entire forest. A universal group can be changed to a domain local group at any time. A universal group can be changed to a global group only if it does not have other universal groups as its members.
When you assign permissions to all the users in the Sales department, for a shared resource, i.e. Printer1, you should create a domain local group for the sales department, i.e. SalesPrinters, and assign it permissions for Printer1. Then you should group the users into a global group, i.e. Sales, and add the global group to the domain local group. A universal group is particularly useful when the group needs to contain members from multiple domains. Universal groups should be members of domain local groups, and have global groups as their members.
Local vs. Active Directory Groups
The group types and scopes outlined above are pertinent to Windows 2003 servers that are members or domain controllers in an Active Directory domain. They are stored in the Active Directory on domain controllers. However, groups also exist on a local machine level, even if ADS is not in use. You can create local groups on the local computer using the Local Users and Group MMC snap-in and the can be used for assigning permissions on that computer only.
Default Groups
Windows 2003 creates default groups in the Builtin container and the Users container. The following lists show the groups created in a Windows 2003 domain by default (this may vary per configuration and on the installed Windows components). The first list shows the groups in the Builtin container. These groups are all domain local groups and cannot be moved to another container or OU.
- Account Operators - Members of this group can administer domain user and group accounts, log on locally, and can shutdown domain controllers. Account Operators cannot modify the Administrators or Domain Admins groups and accounts.
- Administrators - Members of this group have full access to the domain or computer. By default, this group contains the Domain Admins and Enterprise Admins groups and the Administrator user account.
- Backup Operators - Members of this group can back up or restore files without being limited by file permissions. Back up Operators can also log on locally and shutdown domain systems.
- Guests - Members of this group have the same permissions and right as the Users group by default, The Guest user account is disabled by default. This Guests group contains the Domain Guests group as a member.
- Incoming Forest Trust Builders - Members of this group can create incoming, one-way trust relationships to this forest. This group appears only in the root domain of the forest.
- Network Configuration Operators - Members of this group can change the TCP/IP settings on domain controllers in the domain.
- Performance Monitor Users - Members of this group can monitor performance counters on domain controllers in the domain.
- Performance Log Users - Members of this group can manage performance counters, logs and alerts on domain controllers in the domain.
- Pre-Windows 2000 Compatible Access - Members of this group have read access to all users and groups in the domain. This group provides backward compatibility for computers running Windows version pre-Windows 2000, such as Windows NT 4. The Everyone group is a member of this group by default.
- Print Operators - Members of this group have the appropriate rights to administer printers connected to domain controllers and shared printer objects in the Active Directory. Print Operators can also log on locally and shutdown domain systems.
- Remote Desktop Users - Members in this group are granted the right to logon remotely using a terminal session.
- Replicator - A system group account used for file replication in a domain. This group has no members and you should not add them either.
- Server Operators - Members of this group can administer shared resources on domain servers, start and stop certain services, and format hard disks. Additionally, members of this group have the same rights Backup Operators have.
- Users - Members of this group have sufficient permissions and rights to run certified Windows applications, but cannot run most legacy applications. This prevents regular users from making system-wide changes.
The following default groups reside in the Users container in the Active Directory. The Users container contains domain local, global, and universal scope default groups. These groups can be moved to another OU if desired.
- Cert Publishers - Members of this group can publish digital certificates for users and computers.
- DnsAdmins - Members of this group have permissions to administer DNS.
- DnsUpdateProxy - Members of this group can act as a DNS proxy for clients. A DHCP server that handles dynamic updates for DCHP clients should be a member of this group.
- Domain Admins - Members of this group have full control of the domain. This group is a member of the Administrators group on all domain members including domain controller. The Administrator user account is a member of this group by default.
- Domain Computers - This group contains all the computer accounts of the client and servers joined to the domain.
- Domain Controllers - This group contains all domain controllers in the domain.
- Domain Guests - This group contains all domain guests.
- Domain Users - This group contains all domain users. When you create a new user account in the domain, it will automatically become a member of the Domain Users group.
- Enterprise Admins - Members of this group have full control of all domains in the forest. This group is a member of the Administrators group on all domain controllers in the forest. The Administrator user account is a member of this group by default.
- Group Policy Creator Owners - Members of this group can modify Group Policy settings in the domain. The Administrator user account is a member of this group by default.
- IIS_WPG - A system group account used by Internet Information Services (IIS) 6.0.
- RAS and IAS Servers - Servers in this group have access to the remote access properties of users. This group is used for IAS servers that perform authentication for a collection of RRAS servers.
- Schema Admins - Members of this group can modify the Active Directory schema. The Administrator user account is a member of this group by default.
- Everyone - Includes everyone with a user account.
- Anonymous Logon - Includes everyone without a user account.
- Network - Includes users that are currently logged on to a computer over the network. This is the opposite of the Interactive group.
- Interactive - Includes users that are currently logged on to the local computer. This is the opposite of the Network group.
Groups are created by using the Active Directory Users and Computers MMC snap-in. To create a new group, right-click the domain or OU in which you want to create the user, select New, and then click Group. The New Object - Group dialog box, displayed below, will open. You will need to provide a name and you can choose the group scope and group type.
When you open the properties sheet of an existing group, you can associate a description and an e-mail address with the group and change the scope and type on the General tab. The Members tab of the group's properties allows you to add members to this group, and the Member Of tab allows you to join this group to other groups. On the Managed By tab, you can specify a person that is responsible for this group, and specify whether this person should be able to add and remove members to and from this group.
You can move a group to another container, from the Users container to a departmental OU for example, by right-clicking the group and selecting Move from the context menu. With the exception of universal groups, groups can be moved within a domain only. When you move a universal group from one domain to another, you will have to reassign permissions and rights as they will be lost in the process. The member settings of the universal group will be retained.
Find the group membership for a user
On a large Active Directory with many group it can be hard to keep track of which groups a user belongs to. The Member Of tab of a user's properties, displays a list of groups the user is a member of. It does not show groups that reside in trusted domains but the user is a member of. For a more complete list of groups a user belongs too, you can use the Dsget.exe command line utility. The syntax for displaying group membership is:
dsget user UserDN -memberof -expand
The UserDN parameter is the user's distinguished name, for example:
dsget user "CN=John Dow,CN=users,dc=home,dc=local" -memberof -expand
Without the -expand option, only the groups the user is joined to directly are displayed. With this option, each group is expanded to determine membership through nested groups. For example, when a user is a member of the Domain Users default group, it is also a member of the Users built-in group, because the Domain Users group is a member of the Users group.
- Click here for more information about the dsget command.
Automated Group Management
Instead of creating and modifying groups manually, you can also automate group management using command-line utilities. Csvde.exe is one of the tools that can be used to perform batch changes to the Active Directory. It can be used to import and export data from and to a file in comma separated value (CSV) format. Ldifde.exe is a more advanced tool that allows you to create, modify, and delete active directory objects. You can use Ldifde to extend the schema, and export and import Active Directory user and group data to or from other directories.
- Click here for more information about the Csvde.exe utility.
- Click here for more information about the Ldifde.exe utility.
