Windows 2000 is a major upgrade to Windows NT, with many new features. While previous versions of Windows have rolled out new features long before questions about them appeared on the MCSE exams, this time Microsoft has changed the MCSE exams as much as the operating system itself.
There are many new topics on the Windows 2000 Exams. With Windows NT networks running smoothly and getting the job done, businesses have been slow to fully embrace and convert to Windows 2000. But for the MCSE, it's out with the old and in with the new. The Win2K exams are proceeding full-steam ahead, and a slew of NT4 exam retirements loom on the horizon.
Here's a guide to the top 12 new technologies covered on the Windows 2000 exams, including examples of how they are being used in the real world. By becoming familiar with these technologies now, you'll have a head start on the MCSE 2000 certification.
Few will argue that the most significant new feature of Windows 2000 is the Active Directory. This is a directory service that manages a database of users, groups, computers, and other network resources in a single hierarchical directory.
|
Related Reading 
MCSE: Windows 2000 Exams in a Nutshell |
Active Directory supports the LDAP (lightweight directory access protocol) 1.2 and 1.3 standards. This allows a Windows 2000 network to share directory information with other services, such as Internet directories and networks using Novell Directory Services (NDS).
Active Directory uses a hierarchical (tree) structure to organize network resources. At the lowest level, objects represent individual resources. These are organized into domains, which are in turn organized into trees. All of the domains within a tree share the same namespace (the standards for computer and other resource naming) and a common schema (a definition of available object types and properties).
A Windows 2000 directory tree can be combined with other trees (with incompatible namespaces or schemas) to form a forest.
Microsoft Management Console (MMC) is a generic utility for managing various aspects of Windows 2000. This extensible console can be used for tasks ranging from monitoring system performance to formatting disks. While MMC was included in Windows NT 4, it has been fully adopted in Windows 2000 and is the standard interface for most administration tasks.
You can access MMC by running MMC.EXE, or by running a shortcut to an MMC console. Most of the administrative tools included with Windows 2000 are actually MMC consoles. MMC uses the following components:
A console is a configuration file that specifies the features that will be accessible to MMC. Different consoles can be loaded for different administrative tasks or configured for use by different administrators.
A snap-in provides a management interface in MMC. For example, Services, Shared Folders, and Local Users and Groups are available snap-ins.
Extensions are snap-ins that add functionality to an existing snap-in. For example, the Shared Folders snap-in has an optional extension called Send Console Message.
A key use of MMC is in the delegation of administrative control. You can assign administrators to manage portions of the Active Directory, give them the appropriate permissions, and create a custom console that provides the functions they need. You can also create taskpads, or simplified MMC interfaces, which perform specific tasks for nontechnical administrators.
Remote Installation Services (RIS) allows you to create a bootable image that can be used to start installations from any networked computer, using a central distribution of installation files. This works with a boot floppy or with computers that support remote boot with a boot ROM.
Windows 2000 Server is required to use Remote Installation Services. RIS requires the following services and configuration:
A DNS (domain name service) server
A DHCP (Dynamic Host Configuration Protocol) server
An Active Directory domain controller
A shared NTFS (NT File System) volume for the RIS files (This volume must not be the same volume on which Windows 2000 Server is installed.)
You can then install Windows 2000 Professional on clients by the hundreds in an automated fashion. You can even customize the installation and provide for a logical client-naming scheme.
RIS is most useful in large environments, especially when many computers have exact or similar hardware. It also helps if you are starting from scratch with the clients and all the user data resides on servers. Unfortunately, most companies have data scattered on clients and servers and a potentially large-scale erasure of client data would result in mass chaos.
The Encrypting File System (EFS) is part of the new NTFS included with Windows 2000 Server. The EFS uses a set of four keys: a public key, a private key, a random file encryption key (FEK), and a recovery key. The Windows 2000 EFS uses the Data Encryption Standard X (DESX). Encryption and keys are covered in greater detail in the "Designing Security" chapter of MCSE in a Nutshell: The Windows 2000 Exams.
A public key is used to encrypt files that later can be decrypted by applying either the corresponding private key or by using the recovery key. (The recovery key is automatically generated at the time of encryption.) In North America, a 128-bit file encryption key (FEK) is used. Otherwise, a 40-bit FEK is used.
To encrypt a folder's contents, select the General tab from the folder's Properties dialog, and click on Advanced. Select the Encrypt contents to secure data option to encrypt the folder.
Encryption is transparent to the user; files are automatically decrypted when accessed, provided the user has permission to access the file. To decrypt a folder permanently, deselect the Encrypt contents option in the Advanced properties dialog.
A system administrator can create a domain-wide policy to determine which accounts will have permission to decrypt files using recovery keys. This policy will apply to all computers that are members of the domain. If you are using a stand-alone machine that is not a member of a Windows 2000 domain, the local administrator account will have permission to use recovery keys. This policy is called the Encrypted Data Recovery Policy (EDRP).
Windows 2000 allows users to view files and folders that are physically distributed on multiple computers throughout the domain inside a single folder. A Distributed File System (Dfs) folder on the server will automatically link the user to the correct location of the resource. A Dfs root is the main folder that contains the Dfs links, which are subfolders that are mapped to resources throughout the Windows 2000 domain.
If a file server crashes, a system administrator can point the Dfs link to an alternate location and users will automatically connect to the new location without noticing a change. Dfs does not affect the permissions of the resources it links to. A user must have permissions for the remote resource to gain access to it through the Dfs link.
You can create both stand-alone and domain Dfs roots using the Distributed File System snap-in. A stand-alone Dfs root is a folder that is physically located on only one server. If you are using Active Directory, you can create a domain Dfs root instead, which will be replicated across multiple servers, providing greater fault tolerance.
Windows 2000 uses the Kerberos authentication protocol for most authentication duties, as long as Kerberos is supported by both sides of the connection. In the case of a mixed-mode environment, where there are both Windows 2000 and Windows NT computers, Microsoft's older NTLM authentication system can be used instead. When a client attempts to log on to the network in this system, the following process occurs:
The client encrypts the current time using the password entered and sends a packet of data containing the result and the user ID to the authenticating server.
The server looks up the user in the Active Directory database and uses the encryption key stored with the user to encrypt the time. If the result matches the client's result, access is allowed.
When the user attempts to access a file or a printer, a session key is sent, if the client is allowed access. This enables the client to access that resource without further authentication until logout.
Microsoft's decision to include industry-standard protocols such as Telnet, FTP, DNS, and Kerberos in its network strategy is an indication that it is serious about Windows as a network platform. Kerberos is more secure than NTLM authentication, but not quite as secure as certificate-based authentication methods.
Earlier versions of Windows NT used primary domain controllers (PDCs) and backup domain controllers (BDCs), each with clear roles. Windows 2000 makes one major change to this system: all Windows 2000 domain controllers act as peers. Any domain controller can be used for authentication, and any controller can be used to make changes to the Active Directory database.
While Windows 2000 domain controllers act as peers in most respects, certain operations require one server to act as an operations master. There are five separate roles held by operations masters (operations masters may be one server or several different servers):
The schema master acts as the authority for changes to the Active Directory schema (the specification of the object types and properties stored in the Directory). One server per forest acts as the schema master.
The domain naming master manages additions, deletions, and changes to the domains contained within the Active Directory forest. One server per forest acts as domain naming master.
The relative ID master manages the identifiers used to associate objects with containers and allows objects to be moved between containers. One server per domain acts as relative ID master.
The PDC emulator emulates a Windows NT 4.0 PDC for compatibility with older systems. One server per domain acts as PDC emulator.
The Infrastructure master manages associations between users and groups. One server per domain acts as infrastructure master.
The first server configured as a domain controller when the Active Directory forest is created is assigned the schema master and domain naming master roles. The first domain controller configured in each domain is assigned the relative ID master, PDC emulator, and infrastructure master roles.
One of the most important jobs for a network is to make it easy to keep data consistent, safe, and available to all the client computers whenever they need it. Data often changes in one location on the network, and it needs to be copied, or replicated, to the other areas of the network. If this didn't occur, users who change their network password on one computer might not be able to log into the network from another computer.
Most important data, like passwords, are stored throughout the domain on servers called domain controllers. However, for data-replication purposes, the domain model is temporarily superceded by a logical structure called a site. The main requirement for a site is that subnets within a site are connected by at least a 512Kbps connection. Other than that one stipulation, a site may contain multiple domains, or a single domain can contain multiple sites. Data can be replicated within a site or between sites. There are two main types of replication: intrasite and intersite.
Intrasite replication passes data between domain controllers within the same site. It is configured automatically and runs every five minutes by default. However, replication is trigger-based, meaning if a replicating server has any changes, it will notify its replication partner. The data that passes between the replicating partners is not compressed.
Intersite replication passes data between domain controllers in separate sites. The default synchronization interval is three hours, but you can configure it manually. The data passed between domain controllers on different sites is compressed up to 90 percent. Be sure to monitor bandwidth usage and modify sites accordingly. Data synchronization is obviously very important and Microsoft has come up with an easy-to-use system to make that job as seamless as possible.
The best way to break down a Windows 2000 domain into manageable sections is through the Organizational Unit (OU) structure. Each unit can reflect the actual departmental breakdowns inside your organization. You can assign user accounts, folders, physical equipment, and any other object to a specific OU. You can then assign permissions to the OU. If a user switches departments, you can move them to the new OU and they will inherit the new OU's permissions.
Organizational Units are arranged in a hierarchy. This can start as a simple geographic breakdown and layer down into departments within each location. You can have as many layers as you'd like, but fewer layers make managing the OU proportionally easier.
You can modify your OU structure at any time. However, it would be more efficient to take the time to map out which user accounts, folders, and equipment are needed for every department and create the OU structure all at once. If the framework is in place, the assignment of permissions becomes a lot easier.
Active Directory allows for two different types of trust relationships. A trust relationship is set up between a trusting domain and a trusted domain. The trusting domain allows users in the trusted domain to log in. Group Policy security in the trusting domain still applies to the users logging in from the trusted domain.
The default trust relationship between Windows 2000 domains in a tree, and in root domains in a forest, is a two-way transitive trust. This means that if tree A trusts tree B and tree B trusts tree C, tree A automatically trusts tree C and vice versa, without any separate trust relationships between A and C.
Because each subdomain in a tree trusts the root domain and the root domain trusts its subdomains, every subdomain in a tree automatically trusts every other subdomain in the tree. Because every root domain in a forest trusts every other root domain in the forest, every subdomain of every tree in the forest trusts every other subdomain in the forest. This greatly simplifies trusts in a Windows 2000 network compared to the Windows NT trust scheme.
The RADIUS client-server authentication protocol is commonly used by Internet service providers to authenticate incoming connections. RADIUS is an acronym for Remote Authentication Dial-In User Service and is often used in conjunction with other authentication protocols, such as Point-to-Point Protocol (PPP).
As with Kerberos, Microsoft has its own implementation of RADIUS that differs slightly from the standard. The most significant difference is that the Microsoft version, called Internet Authentication Service (IAS), uses Active Directory to authenticate users.
To get an idea of what RADIUS does, here's a list of the steps involved with IAS authentication on a Windows 2000 Remote Access Server (RAS):
When the remote user either dials in (via PPP) or attempts to connect via a virtual private network (VPN), the RAS server sends a RADIUS Access Request packet to the IAS server.
The IAS server tries to find the user account in Active Directory. If found, and if the user's permissions are valid for that type of connection, the IAS server sends an Access-Accept packet to the RAS server. Otherwise, the connection is terminated.
To determine the level of access granted to the user, the RAS server uses permissions information included in the Access-Accept packet.
The RAS server sends an Accounting-Start packet to the IAS server, requesting it to monitor the connection. This continues until the session is disconnected and the RAS server sends an Accounting-Stop packet.
A few options will cause this list of steps to vary. If at any time the RAS server doesn't receive a response from the IAS server, the RAS server will automatically try to connect to a backup IAS server. Also, the RAS server will attempt to connect the user with the most secure protocol possible. Its first choice is Extensible Authentication Protocol (EAP), which can be used with smart cards, certificates, MS-CHAP, CHAP, and PAP.
Both RAS and RADIUS are used to authenticate dial-up connections to the network. RADIUS has the advantage of being good at handling a large volume (thousands of connections a day) and for centralized record-keeping across multiple RADIUS servers. RAS is for lower volumes and has less-sophisticated reporting options.
Telnet allows you to log in to a computer and remotely execute programs. Telnet has been a part of Unix systems and the Internet in general for quite a long time. Windows 2000's telnet server allows Telnet clients to connect to a Windows 2000 server and use a shell, similar to the standard command prompt.
Unfortunately, Windows 2000 Server includes a license that allows only two simultaneous telnet clients to connect, which severely limits its usefulness. You can, however, buy more licenses to allow a reasonable amount of simultaneous connections.
Including a telnet server is just one of the many signs that Microsoft has a more mature and cooperative approach to including standard Internet technology in Windows 2000. Another significant change is the shift from NetBIOS to DNS.
In this article, you've learned about 12 new technologies that were introduced in Windows 2000 and are covered in the Windows 2000 MCSE exams. While this is by no means a complete list of the changes in the new exams, learning these technologies will put you well on your way to earning the MCSE.
Michael Moncur is a freelance author and consultant in Salt Lake City, Utah. He is the owner of Starling Technologies, a company specializing in network consulting and Web content development, and is certified both as a CNE and a MCSE. He is the author of several books on NetWare, NT, and the CNE and MCSE programs, including NT 4 Network Security and NetWareR 5 CNA(SM)/CNER: Administration and Design Study Guide (Sybex/Network Press), and the best-selling MCSE: The Core Exams in a Nutshell from O'Reilly, in addition to coauthoring the soon-to-be released (February 2001) MCSE in a Nutshell: The Windows 2000 Exams.
Paul Murphy is a freelance author and training manager for Dreamscape OnLine, a Syracuse, New York, Internet service provider. He has been teaching classes on the Internet, HTML, operating systems, and Microsoft Office since 1996. Certified as an MCSE, he has worked as a technical reviewer for O'Reilly's MCSE series and coauthored the upcoming MCSE in a Nutshell: The Windows 2000 Exams.
O'Reilly & Associates will soon release (February 2001) MCSE in a Nutshell: The Windows 2000 Exams.
Sample Chapter 2, Study Guide, is available free online.
You can also look at the Table of Contents, the Index and the Full Description of the book.
For more information, or to order the book, click here.
Copyright © 2009 O'Reilly Media, Inc.