MCSE 70-290, Windows Server 2003 Network Infrastructure

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. For example, you must perform an authoritative restore if you inadvertently delete users, groups, or OUs from Active Directory and you want to restore the system so that the deleted objects are recovered and replicated. Authoritative restore is typically used to restore a system to a previously known state, for example before Active Directory objects were erroneously deleted.

To authoritatively restore Active Directory data, you must run the Ntdsutil utility after you have performed a nonauthoritative restore of the system state data but before you restart the server. The Ntdsutil utility allows you to mark objects as authoritative. Marking objects as authoritative changes the update sequence number of an object so it is higher than any other update sequence number in the Active Directory replication system. This ensures that any replicated or distributed data that you have restored is properly replicated or distributed throughout your organization. The Ntdsutil utility can be found in the %Systemroot%\System32 directory and accompanying documentation within the Windows Server 2003 Help files (available from the Start menu).

For example, suppose you back up the system on Monday, and then create a new user called Ben Smith on Tuesday, which replicates to other domain controllers in the domain, but on Wednesday, another user, Nancy Anderson, is accidentally deleted. To authoritatively restore Nancy Anderson without reentering information, you can non-authoritatively restore the domain controller with the backup created on Monday. Then, using Ntdsutil you can mark the Nancy Anderson object as authoritative. The result is that Nancy Anderson is restored without any effect on Ben Smith.

An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. If you do not want to replicate the changes that have been made subsequent to the last backup operation, you must perform an authoritative restore. For example, you must perform an authoritative restore if you inadvertently delete users, groups, or OUs from Active Directory and you want to restore the system so that the deleted objects are recovered and replicated. Authoritative restore is typically used to restore a system to a previously known state, for example before Active Directory objects were erroneously deleted.

To authoritatively restore Active Directory data, you must run the Ntdsutil utility after you have performed a nonauthoritative restore of the system state data but before you restart the server. The Ntdsutil utility allows you to mark objects as authoritative. Marking objects as authoritative changes the update sequence number of an object so it is higher than any other update sequence number in the Active Directory replication system. This ensures that any replicated or distributed data that you have restored is properly replicated or distributed throughout your organization. The Ntdsutil utility can be found in the %Systemroot%\System32 directory and accompanying documentation within the Windows Server 2003 Help files (available from the Start menu).

For example, suppose you back up the system on Monday, and then create a new user called Ben Smith on Tuesday, which replicates to other domain controllers in the domain, but on Wednesday, another user, Nancy Anderson, is accidentally deleted. To authoritatively restore Nancy Anderson without reentering information, you can non-authoritatively restore the domain controller with the backup created on Monday. Then, using Ntdsutil you can mark the Nancy Anderson object as authoritative. The result is that Nancy Anderson is restored without any effect on Ben Smith.

• Three Active Directory administrative consoles are available on the Administrative

Tools menu of all Windows Server 2003 domain controllers. The Active Directory

Schema snap-in is also available on a domain controller, but must be installed

manually to ensure the schema is not modified by accident.

• Domain functional level (formerly known as the domain mode) provides a way to

enable domain-wide Active Directory features within your network environment.

Four domain functional levels are available: Windows 2000 mixed (default),

Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.

The change in domain functional level is one-way only.

Forest functional level provides a way to enable forest-wide Active Directory

features within your network environment. Three forest functional levels are

available: Windows 2000 (default), Windows Server 2003 interim, and Windows

Server 2003. You can raise the functional level of a forest to Windows Server 2003

only if all domain controllers in the forest are running Windows Server 2003.

You can add alternative UPN suffixes to simplify administration and user logon

processes by providing a single UPN suffix for all users. Using alternative domain

names as the UPN suffix can provide additional logon security and simplify the

names used to log on to another domain in the forest.

Several additional tools that can be used to configure, manage, and debug Active

Directory are available in the Windows Support Tools. To use these tools you

must first install the Windows Support Tools on your computer.

Verifying Active Directory installation involves verifying the domain configuration, DNS configuration, DNS integration with Active Directory, installation of the shared system volume, and operation of the Directory Services Restore Mode boot option. This lesson shows you how to verify your Active Directory installation.

After this lesson, you will be able to

Verify Active Directory installation Estimated lesson time: 15 minutes

Verifying an Active Directory Installation

After you have completed the installation of Active Directory, you must verify that Active Directory has been correctly installed. You can do this by verifying the following:

Domain configuration

DNS configuration

DNS integration with Active Directory

Installation of the shared system volume

Operation of the Directory Services Restore Mode boot option

In this exercise, you configure a static IP address and a preferred DNS server to prepare your servers for Active Directory service installation in Lesson 2.

To configure a static IP address and preferred DNS server

1. Log on to both servers as Administrator using password as your password.

Security Alert In a real-world environment , always be sure to use a complex password. Microsoft recommends mixing uppercase and lowercase letters, numbers, and symbols (for example, Lp6*g9F2).

2. Use the procedure provided earlier in this lesson to configure a static IP address

for Server l. Configure Server l as its own preferred DNS server. See your network

administrator for valid IP addresses or use 192.168.1.1.

3. Use the procedure provided earlier in this lesson to configure a static IP address

for Server2. Configure Server l as the preferred DNS server. See your network

administrator for valid IP addresses or use 192.168.1.2.

Before you implement Active Directory in your organization, you need to devise some type of plan. An Active Directory infrastructure design is a plan you create that represents your organization's network infrastructure. You use this plan to determine how you will configure Active Directory to store information about objects on your network and make the information available to users and network administrators.

Because your Active Directory infrastructure design is key to the success of your Windows Server 2003 deployment, you must thoroughly gather information for, develop, and test your design before deployment. A significant amount of rethinking, redevelopment, and retesting might also be necessary at various points during the design process to ensure that your design meets the needs of your organization. An effective infrastructure design helps you provide a cost-effective deployment, eliminating the need to spend time and money reworking your infrastructure.

Design Tools

To develop an effective Active Directory infrastructure design, you must assemble the following tools:

Design team

Business and technical analyses

Test environment

Assembling a Design Team

Before you begin designing your Active Directory infrastructure, you must identify the people in your organization who should be involved in the design process and assemble them into a design team. To ensure that all aspects of your organization are addressed in your Active Directory implementation, you might want to employ a multilevel team design consisting of the following three panels:

Infrastructure designers The key personnel involved in designing your Active

Directory infrastructure

Staff representatives The personnel throughout the organization who are

responsible for carrying out daily operations

Management representatives The management level personnel who are

responsible for approving business decisions within the organization

The design team members selected for each panel must be willing and be permitted to commit their time and talents throughout the design process to ensure that the infrastructure design effectively meets the requirements of their organization.

A directory service provides the means to organize and simplify access to resources of a networked computer system. Users and administrators might not know the exact name of the objects they need. However, they might know one or more characteristics of the objects in question. As illustrated in Figure 1-1, they can use a directory service to query the directory for a list of objects that match known characteristics. For example, "Find all color printers on the third floor" queries the directory for all color printer objects that are associated with the third floor characteristic (or maybe a location characteristic that has been set to "third floor"). A directory service makes it possible to find an object based on one or more of its characteristics.

Figure 1-1 Using a directory service

A directory service is both an administration tool and an end user tool. As a network becomes larger, more objects must be managed and the directory service becomes a necessity.

The Windows Server 2003 Directory Service

Active Directory is the directory service included in the Windows Server 2003 family. Active Directory includes the directory, which stores information about network resources, as well as all the services that make the information available and useful. Active Directory is also the directory service included in Windows 2000.

All sound security designs seek to prevent security failure, but designers of well-formulated security plans also realize that good security allows for the detection of attempted or successful intrusions and provides a method for coping with such events. Sound security designs include instructions on how to isolate compromised systems and how to recover should the worst nightmare become a reality.

Many, but not all, experienced designers know that detection and incident response are necessary parts of a design. Less experienced designers might not consider these things. Having and using a framework that states the importance of these things allows all designers to approach each design as if they were wise beyond their own experience and knowledge.

The Microsoft 2003 Server Exam, 70-290, is one of the core exams of the MCSE, MCSA, and even the MCDBA (Database Administration) certification tracks. The exam is designed to test a candidate’s knowledge of managing a Windows Server 2003 environment. It also tests the candidate’ ability to configure Windows Server 2003 to work with key Windows features and operate efficiently over a Windows network.

Exam Costs: $125 each attempt. You can buy exam vouchers of VUE or Prometric to get a discount. Many online vendors also offer discounts for specific exams; read more in the “vouchers” section to learn more about exam discounts through vouchers.

Exam Location: You can register for the exam at any Pearson VUE and Thompson Prometric center.

Time Allocated: 3 hours per exam

Total marks: Graded from 100-1000 marks

Minimum Pass Marks: About 700

Number of Questions: 40-60 questions per exam

Exam Code: 70-290

Pre-requisites: None. Experience of managing Windows 2003 network of many users is recommended

Exam format: Linear format; computer-based test (CBT)

Validation Period: Expires after around 4-5 years (when new and more relevant Microsoft products are released)

Score Report: Delivered immediate on test completion.
70-290 Exam Question Types

Multiple Choice with Single answer: Student is required to select a single answer from a range of options (generally 4-5) by clicking on a radio button.

Multiple Choice with Multiple answer: Student is required to select a range of options. The number of options to select is specified.

Fill in the Blank: Student is required to type in the missing text to complete the sentence.

Exhibit-based: Note that some questions will require the student to actively use exhibits presented in order to correctly answer the question

Simulation: Some questions on the exam will require the user to accurately perform certain actions in a simulated Windows Server environment