MCSE 70-290, Windows Server 2003 Network Infrastructure

The Public Key Infrastructure (PKI) necessary to support the use of certificates in a Windows Server 2003 forest was described in Chapter 2. Certificates can also be used by other operating systems and devices on the network. You will need to check for compatibility. The other operating systems can use browser access to request and install certificates. If certificates are chosen as an authentication process for your organization, remember to require the setup of a Web-enrollment server.

Authentication Protocols That Can Be Used by Different Operating Systems

For communication between systems in a heterogeneous network to occur, a mutual authentication algorithm must exist. Many possible options exist for Windows systems. Non-Windows systems use many systems and protocols that are not compatible with Windows systems. In addition, they might be able to use compatible remote access authentication protocols such as Password Authentication Protocol (PAP) and perhaps Challenge Handshake Authentication Protocol (CHAP), and many use basic authentication to Web-based applications. Table 6-4 lists the Windows authentication protocols and indicates the operating systems for which each authentication protocol can be used.

Caution Although the Kerberos authentication protocol is selected as being available for each operating system, this does not mean it is implemented and available on the version of the operating systems that are present in any environment.

Table 6-4 Authentication Protocols and the Operating Systems That Can Use Them

Note The question marks in the table are there because some Samba servers require a plain-text password to be used instead of the LM or NTLM network authentication protocol. Other Samba servers can participate and use one or more of the LM-based network authentication protocols.

Techniques for Strengthening Authentication Processes

It's not enough to simply find an authentication process that will work across disparate systems. If it were, passing passwords in clear text across the network might turn out to be the one protocol that every operating system might be configured to accept. Instead, you should seek to strengthen authentication protocols and, if this is a more secure solution, allow the use of multiple authentication protocols on the network.

Examples of choices that can be made and operations that can be implemented to strengthen authentication processes are:

• Use NTLMv2 where Kerberos cannot be used on a Windows Network

• Use Kerberos for authentication between UNIX and Windows systems

• Use certificates for authentication

The following sections describe these techniques and provide guidelines for when they are appropriate.

Pass MCSE-2003 70-290 exam in first attempt. 439 questions with detailed explanation and 131 study notes. 70-290 - Microsoft Windows Server 2003 Environment study notes, articles and mock test. 99% pass rate, 100% money back guarantee. Based on lates PrepKit MCSE-2003 70-290, Microsoft Windows Server 2003 Environment is an interactive software application that helps you learn, tracks your progress, identifies areas for improvements and simulates the actual exam. This PrepKit contains 5 interactive practice tests with over 439 challenging questions guaranteed to comprehensively cover all the objectives for the 70-290: MCSE Windows Server 2003 Environment exam. With detailed analysis for each question, over 131 study notes, interactive quizzes, tips and technical articles, this PrepKit ensures that you get a solid grasp of core technical concepts to ace your certification exam. Our PrepKits help you get certified. You save both, time and money. As a matter of fact, we do better than that. Each PrepKit is backed by money back guarantee. So, if you don't get certified in the first attempt, we will return your money.

Any domain controller that holds a replica of a particular directory partition (including application directory partitions) is said to be a member of the replica set for that directory partition. You can use Ntdsutil to list the domain controllers that are members of a particular replica set for an application directory partition. An addition of a domain controller to the replica set attribute on the cross-reference object does not create the replica, but it will display when the list nc replica command is used in Ntdsutil. The creation of the instance must replicate before the creation of the replica is complete.

To display application directory partition information:

1. Type the appropriate commands to invoke the Ntdsutil domain management

command.

2. At the domain management command prompt, do one or more of the following:

a To show the distinguished names of known directory partitions, type: list.

Q To show the reference domain and replication delays for an application directory partition, type: list nc information DistinguishedName, where DistinguishedName is the distinguished name of the application directory partition you want information about.

Q To show the list of domain controllers in the replica set for an application directory partition, type: list nc replicas DistinguishedName, where Dis-tinguishedName is the distinguished name of the application directory parti¬tion you want information about.

Changes made to a particular directory partition on a particular domain controller are replicated to the other domain controllers that contain that directory partition. The domain controller on which the change was made notifies its replication partners that it has a change. You can configure how long the domain controller will wait to send the change notification to its first replication partner. You can also configure how long it waits to send the subsequent change notification to its remaining replication partners. These delays can be set for any directory partition (including domain directory partitions) on a particular domain controller.

To set a replication notification delay:

1. Type the appropriate commands to invoke the ntdsutil domain management

command.

2. At the domain management command prompt, type:

set nc replicate notification delay ApplicatianDirectoryPartitian DelayIn-Seconds AdditianalDelaylnSeconds, where ApplicationDirectoryPartition is the distinguished name of the application directory partition for which you want to set a notification delay, DelaylnSeconds is the number of seconds to delay before sending the change notification to the first replication partner, and Addi-tionalDelaylnSeconds is the number of seconds to delay before sending subsequent change notifications to the remaining replication partners.

Announcing an all-new MCSA/MCSE Training Kit designed to help maximize your performance on 70-290 Exam, a core exam for the new Windows Server 2003 certification. This kit packs the tools and features that exam candidates want most—including in-depth, self-paced training based on final exam content; rigorous, objective-by-objective review; exam tips from expert, exam-certified authors; and a robust testing suite. It also provides real-world scenarios, case study examples, and troubleshooting labs for skills and expertise that you can apply to the job. Focusing on account and resource management in a Windows Server 2003 environment, this official study guide covers topics such as managing physical and logical devices; users, computers, and groups; access and permissions; the server environment; and disaster recovery services. Ace your exam preparation and ramp up quickly on Windows Server 2003 by working at your own pace through the lessons, hands-on exercises, and practice tests. The flexible, best-of-class test engine on CD features 300 practice questions and pre-assessment and post-assessment capabilities. Choose timed or untimed testing mode, generate random tests, or focus on discrete objectives or chapters, and get detailed explanations for right and wrong answers—including pointers back to the book for further study. You also get a 120-day evaluation version of Windows Server 2003 and a 15 percent exam discount voucher—making this kit an exceptional value and a great career investment.

To design authentication for a heterogeneous network, follow this process:

1. Review available authentication protocols.

2. Document which systems can be configured to use •which authentication protocols.

3. Review techniques for strengthening authentication processes.

4. Review best practices and guidelines for designing authentication for a heterogeneous network.

5. Design a solution.

The following sections provide the information and guidelines you need to complete this process.

Windows Server 2003 does not introduce any new network authentication protocols. Instead, it maintains the ability to be backward compatible with previous versions of Windows. The following authentication protocols must be considered:

• Kerberos

• LAN Manager

• NTLM and NTLMv2

• Certificates

• Remote access protocols

• Web-based protocols

This section describes these authentication protocols in detail, except for the remote access protocols and Web-based protocols, which are examined in Chapters 7 and 13, respectively.

Kerberos version 5 is an Internet Engineering Task Force (IETF) RFC 1510 standard network authentication protocol that is recognized as a very secure protocol. Kerberos is the default protocol used between domain members of a Windows Server 2003 or Windows 2000 domain. The following brief steps describe the Kerberos protocol as implemented on Windows Server 2003 and some of its security benefits. The Kerberos authentication process is split into two parts: authentication and receipt of the ticket granting ticket (TGT), and using the TGT to obtain session tickets.

The problem in obtaining quality 70-290 study guide materials is not that there are too few sources - rather there are so many sources for information, it is increasingly difficult to find an outlet that offers all of the features, products and materials that you need to take and pass your 70-290 exam.

Pass-Guaranteed's 70-290 Practice Test Questions with Explanations are designed with questions, coupled with precise, logical and verified explanations. Pass-Guaranteed's 70-290 practice exam provides you with an examination experience like no other. To take a more authentic exam, you would have to take the exam itself, in an exam center!

Our 70-290 Practice Exam Features:

* Detailed Explanations for all Test Questions
* Exhibits and graphical representations
* Verified Answers Researched by Industry Experts
* Practice Test Questions With Explanations updated on regular basis
* Like actual certification exams, our Practice Tests With Explanations are in multiple-choice format (MCQs).
* Our Question and Answer Explanations are backed by our 100% MONEY BACK GUARANTEE.

Our 70-290 practice exams and study guides are composed by current and active Information Technology experts, who use their experience in preparing you for your future in the IT Industry.

Our exams and questions are constantly being updated. You can check the quality of our practice test updates by visiting our latest news page or signing up to our newsletter for recent updates and new releases to our practice exams. You are not about to purchase a disposable product. 70-290 practice exam updates are supplied free of charge for up to 180 days. Regardless of how soon you decide to take the actual 70-290 examination certification, you will be able to walk into the testing room with confidence using Pass-Guaranteed 70-290 training resources.

Pass-Guaranteed 70-290 practice exam is guaranteed to be 100% braindump free. We value the quality of training you receive through our 70-290 practice exam and will never support 70-290 braindumps, or any 70-290 brain dump site. 70-290 braindump sites cannot compare to the understanding, learning and comprehension you will gain from a non 70-290 braindumps site, based on facts and case studies, like Pass-Guaranteed.

By purchasing our 70-290 practice exam, you will have all that is necessary for completing the 70-290 exam with all 70-290 practice questions that are always up to date. You will receive the highest quality and support with Pass-Guaranteed customer service (live chat) that will fulfill all of your certification needs. Purchase our 70-290 training products today, simply put, Pass-Guaranteed is your key to opening up new doors for a brighter future!

The information in this chapter shows you how to locate, control access to, and delegate administrative control of Active Directory objects. It's important to be able to find Active Directory objects if you need to perform maintenance on an object or if you need to find more information about an object by viewing its attributes. After you've located an object, one of your primary administrative tasks is likely to be setting access permissions, which determine -which users can access the object and the specific actions that they can perform on the object. Finally, being able to delegate administrative control allows you to provide other administrators, groups, or users with the ability to manage the functions in domains or containers according to their needs.

Lessons in this Chapter:

• Lesson 1: Locating Active Directory Objects

• Lesson 2: Controlling Access to Active Directory Objects

• Lesson 3: Delegating Administrative Control of Active Directory Objects . . .

Before You Begin

To complete the lessons in this chapter, you must

• Prepare your test environment according to the descriptions given in the "Getting

Started" section of "About This Book"

• Complete the practices for installing and configuring Active Directory as discussed

in Chapter 2, "Installing and Configuring Active Directory"

• Learn to use Active Directory administration tools as discussed in Chapter 3,

"Administering Active Directory"

• Complete the practices for configuring sites and replication as discussed in Chapter 5,

"Configuring Sites and Managing Replication"

• Complete the practices for implementing an OU structure as discussed in Chapter 6,

"Implementing an OU Structure"

• Complete the practices for creating and maintaining user accounts as discussed in

Chapter 7, "Administering User Accounts"

• Complete the practices for creating and administering group accounts as discussed

in Chapter 8, "Administering Groups"

With many online resources for preparing for the 70-290 exam, you will notice when you read the below information that Pass-Guaranteed is your premier source for your 70-290 exam. With our 70-290 practice tests with explanations, no other vendor will be able to compare to Pass-Guaranteed for quality 70-290 study guides.

70-290 Downloadable, Printable Exams (in PDF format):

Our Exam 70-290 Preparation Material provides you everything you will need to take your 70-290 Exam. The 70-290 Exam details are researched and produced by Professional Certification Experts who are constantly using industry experience to produce precise, logical and verified explanations for the answers.

Exam 70-290 Practice Test with Full Explanations Includes:

* Comprehensive Practice Test Questions with Full Explanations
* Detailed Explanations of all the questions
* Practice Test Questions accompanied by exhibits
* Verified Answers Researched by Industry Experts
* Drag and Drop questions as experienced in the Actual Exams
* Practice Test Questions with Explanations updated on regular basis
* Our Practice Test Questions with Explanations are backed by our 100% MONEY BACK GUARANTEE.
* Like actual certification exams, our Practice Tests with Explanations are in multiple-choice (MCQs)

Our 70-290 Exam will provide you with exam questions and explanations with verified answers that reflect the actual exam. These questions and answer explanations provide you with the experience of taking the actual test. Our 70-290 Exam is not just questions and answers. They are your access to high technical expertise and accelerated learning capacity. Our questions have detailed explanations for every answer and thus ensures that you fully understand the questions and the concept behind the questions. Certification Experts, Certified Computer Trainers, Technical Coworker and Comprehensive Language Masters, who have a solid, verified and certified background and high technical expertise, have compiled these detailed explanations. Pass-Guaranteed’s practice tests will make you feel like you are taking an actual exam at a Prometric or VUE center.

We are constantly updating our Exam 70-290. These 70-290 Exam updates are supplied free of charge to Pass-Guaranteed customers- hereby becoming an investment rather than a disposable product. Our clients receive the most reliable and up-to-date information when they decide to take the 70-290 exam. Like actual certification exams our 70-290 Exam is in multiple-choice format (MCQs). After purchasing our 70-290 practice test with explanations, you are just a step away from being certified. Still not convinced? Try our free samples or choose to buy your 70-290 Practice Exam now!

A group is a collection of users, computers, contacts, and other groups. Distribution groups are used only for e-mail. Security groups are used to grant access to resources.

Group scopes allow you to use groups in different ways to assign permissions. The three group scopes are global, domain local, and universal. Global security groups are most often used to organize users who share similar network access requirements. Domain local security groups are most often used to assign permissions to resources. Universal security groups are most often used to assign permissions to related resources in multiple domains.

Use the following strategy for planning groups: place user accounts into global groups, create a domain local groups for a group of resources to be shared in common, place the global groups into the domain local group, and then assign permissions to the domain local group.

You use the Active Directory Users And Computers console to create groups, delete groups, add members to groups, and change the group scope.

You cannot change the group scope for domains with a domain functional level set to Windows 2000 mixed.

The following scope changes are allowed in domains with the domain functional level set to Windows 2000 native or Windows Server 2003: global to universal, as long as the group is not a member of another group having global scope; domain local to universal, as long as the group being converted does not have another group with a domain local scope as its member; universal to global, as long as the group being converted does not have another universal group as its member; and universal to domain local.

You should avoid running your computer while logged on as an administrator because running Windows Server 2003 as an administrator makes the system vulnerable to Trojan horse attacks and other security risks. If you frequently need to log on as an administrator, use the Run As program, which allows you to run specific tools and programs with permissions other than those provided by the account with which you are currently logged on.

After you assess user needs and have a group plan in place, you are ready to create your groups. Once you have created groups, you might find it necessary to carry out various administrative tasks to maintain them. This lesson shows you how to create groups, delete groups, add members to groups, and change the group scope.

After this lesson, you will be able to

• Create groups

• Delete groups

• Add members to groups

• Change the group scope

Creating a Group

You use the Active Directory Users And Computers console to create groups. With the necessary permissions, you can create groups in any domain in the forest, in an OU, or in a container you have created specifically for groups. The name you select for a group must he unique in the domain where you create the group.

To create a group, complete the following steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users

And Computers.

2. Right-click the appropriate domain, OU, or container, point to New, and click

Group.

3. In the New Object-Group dialog box, shown in Figure 8-4, type the name of the

group in the Group Name box. Note that an entry automatically appears in the

Group Name (Pre-Windows 2000) box, based on the group name you typed.

Select the group scope in the Group Scope box. Select the group type in the

Group Type box. Click OK.