Document Outline

101 Tips for Exam 70-218:Managing a Microsoft Windows 2000 Network Environment

Managing a Microsoft Windows 2000 Network Environment

Creating, Configuring, Managing, Securing, and Troubleshooting File, Print, and Web
Resources
1. The two types of resources this objective refers to are shared folders and printers.
Folders must first be shared, and then they can be published in Active Directory.
2. Printers are published automatically unless the List in the Directory check box is
unchecked on the Sharing tab of their properties.
3. The file system that is appropriate for Windows 2000 depends on the needs of the
specific environment in which it will be used.
4. In an environment that requires dual-booting to another operating system, Microsoft
recommends using a FAT-formatted file system. They recommend NTFS for situations in
which security is a concern, however.
5. File-based compression is infinitely superior to partition-based compression because you
can compress files you don't frequently use and leave those files you do frequently use
uncompressed.
6. Not all files can be compressed. In particular, some of the Windows NT boot files and the
paging file cannot be compressed; they must always remain uncompressed.
7. Using compression on files that are served by a file server can dramatically increase the
processor utilization of a server.
8. Anytime after the installation, the CONVERT.EXE utility allows you to convert a FAT or
FAT32 file system to NTFS without data loss.
9. NTFS offers five distinct rights, each of which can be specifically allowed or denied: Full
Control (everything the others provide, plus the ability to change permissions and take
ownership), Modify (encompasses the Read and Execute permission and the Write
permission, and offers the ability to delete), Read and Execute, (just) Read, and Write.
10. The Quota tab, which appears only if the drive is NTFS, allows you to configure the
storage limits for users. By default, quota management is disabled; you must enable it
before you can set any other options.
11. If quotas are enabled after user accounts have already been in place and users are
currently exceeding the amount of the quota, warning messages will be generated the
next time the user attempts to save and/or they will be prevented from using any
additional space.

12. Sharing is done at the folder level; it cannot be done individually at the file level. Because
the permissions apply to the entity only when it is accessed remotely, these are known as
Access Through Share (ATS) permissions.
13. A folder can be shared more than once, each time having a different share name
associated with it.
14. You can "hide" a share (prevent it from appearing in My Network Places) by adding a
dollar sign ($) to the end of the share name.
15. If, and only if, Web services are installed on the same machine you have created the
share on, an additional tab--Web Sharing--appears under Properties. By default, Web
sharing is not enabled. When you choose to share it, you can create an alias (which
appears as the share name by default). Then, you can specify Read, Execute, and/or
Scripts permissions.
16. Internet Information Server (IIS) version 5.0 is installed automatically on Windows 2000
during the operating system installation. If you do not want to have it on your server, you
can remove it via Add/Remove Programs.
17. You can configure auditing on nine pre-defined system events through the Local Security
Policy shortcut within the Administrative Tools folder of the Control Panel. When
configured, entries are written to the Security log, which you can view and configure with
the Event Viewer tool.
18. The Event Viewer in Windows 2000 is used to examine events and errors that were
written to log files. All critical system messages are stored in the System event log in
Windows 2000 Professional--not just those related to TCP/IP. (Other log files include
Application and Security.)
Configuring, Administering, and Troubleshooting the Network Infrastructure
19. After the host name has been resolved to an IP address, your computer must resolve the
IP address to a MAC address. This is handled by the Address Resolution Protocol (ARP).
ARP, as a utility, can be used to see the entries in the address resolution table, which
maps network card addresses (MAC addresses) to IP addresses.
20. The File Transfer Protocol (FTP) is used to actively download or upload files from one
host to another. A deviation of it--Trivial File Transfer Protocol (TFTP)--allows the
operations to be in an unattended state.
21. One of the simplest of all utilities, HOSTNAME returns the name that the current host is
known as. This utility does not support any parameters.
22. At it simplest, IPCONFIG can display IP configuration data. The /ALL parameter shows
all data; the /RELEASE parameter gives up the DHCP lease; and the /RENEW
parameter attempts to extend the life of the lease.
23. NBTSTAT is a command-line utility that enables you to check the resolution of NetBIOS
names to TCP/IP addresses. Using NBTSTAT, you can check the status of current
NetBIOS sessions. You can also add entries to the NetBIOS name cache from the
LMHOSTS file, or check your registered NetBIOS name and the NetBIOS scope
assigned to your computer, if any.
24. NETSTAT is a command-line utility that enables you to check the status of current IP
connections. Executing NETSTAT without switches displays protocol statistics and
current TCP/IP connections.

25. NSLOOKUP is a command-line utility that enables you to verify entries on a DNS server.
You can use NSLOOKUP in two modes: interactive and non-interactive. To look up only a
single piece of data, use non-interactive mode. To make another query, you must type
another non-interactive command. If you want to look up more than one piece of data,
use interactive mode.
26. The PING command--one of the most useful commands in the TCP/IP protocol suite--
sends a series of packets to another system, which in turn sends back a response. This
utility can be extremely useful for troubleshooting problems with remote hosts.
27. The ROUTE command-line utility enables you to see the local routing table and add
entries to it. Occasionally, it is necessary to see how a system will route packets on the
network. Normally, your system will simply send all packets to the default gateway.
However, sometimes (such as when you are having problems communicating with a
group of computers) ROUTE can provide an answer.
28. The TELNET utility enables you to turn your workstation into a dumb client and establish
a session with a remote host.
29. TRACERT is a command-line utility that enables you to verify the route to a remote host.
Execute the command TRACERT hostname, where hostname is the computer name or
IP address of the computer whose route you want to trace. TRACERT returns the
different IP addresses the packet was routed through to reach the final destination. The
results also include the number of hops needed to reach the destination. If you execute
the TRACERT command without any options, you will see a help file that describes all
the TRACERT switches.
30. Microsoft recommends that you approach a possible connectivity problem by taking the
following steps:
1) Run IPCONFIG to verify that there is a valid IP address (whether it's manually
configured or supplied by DHCP).
2) Ping the loopback address (127.0.0.1). This will verify that the TCP/IP stack is
functioning properly but will not go out across the wire.
3) Ping your own IP address. A success should show that duplicate addresses are
not a problem.
4) Ping the default gateway.
5) Ping a remote host.
If all these steps are completed successfully, the problem lies in something other than the
TCP/IP protocol and connectivity.
31. The alternative to manual configuration is to use a DHCP server, which issues
configuration information to clients when they need it.
32. When you manually configure a computer as a TCP/IP host, you must enter the
appropriate settings, which are required for connectivity with your network. To reach the
configuration tabs, choose the Network and Dial-Up Connections applet from the Control
Panel, right-click on the network in question (typically named Local Area Connection),
and then choose Properties from the pop-up menu. On the General tab, select Internet
Protocol (TCP/IP) and click the Properties button.
33. An IP address is a logical 32-bit address used to identify a TCP/IP host. Each network
adapter configured for TCP/IP must have a unique IP address, such as 192.14.200.4. IP

address values are 1-223.0-255.0-255.0-255, with the exception of 127, which cannot be
used in the first octet because it is a reserved address. Familiarity with this topic is
required for the 70-215 (Server) exam, which must also be taken for MCSA certification.
34. A subnet is a division of a larger network environment, typically connected by routers.
Whenever a TCP/IP host tries to communicate with another TCP/IP host, the subnet
mask is used to determine whether the other TCP/IP host is on the same network or a
different network. If the other TCP/IP host is on a different network, the message must be
sent via a router that connects to the other network. A typical subnet mask is
255.255.255.0. All computers on a given subnet must have the same subnet mask value.
35. The Default Gateway (Router) setting is the address of the router. The router controls
communication with all other subnets. If the router's address is not specified, this TCP/IP
host can communicate only with other TCP/IP hosts on its subnet.
36. DNS is an industry standard distributed database that provides name resolution and a
hierarchical naming system for identifying TCP/IP hosts on the Internet and on private
networks.
37. DHCP automatically centralizes and manages the allocation of the TCP/IP settings
required for proper network functionality for computers that have been configured as
DHCP clients. TCP/IP settings that the DHCP client receives from the DHCP server are
only leased to it and must periodically be renewed. This lease-and-renewal sequence
enables a network administrator to change client TCP/IP settings, if necessary.
38. On Windows 95/98 machines, you can get the IPCONFIG functionality graphically via the
WINIPCFG utility.
39. For DHCP configuration, you must provide the server with a scope (a range of IP
addresses that it can issue). For authentication, right-click the server within the DHCP
console and choose Authenticate. This adds the server to the list maintained within
Active Directory of authorized DHCP servers.
40. Unauthorized DHCP servers are detected within Windows 2000 by examining the
DHCPINFORM message sent by the DHCP server when the service starts.
41. In small Windows 2000 networks that lack a server, the Internet Connection Sharing
service can be used. This service acts as a DHCP server as well as a Proxy/NAT server.
42. A DNS address must be specified to enable connectivity with the Internet or with Unix
TCP/IP hosts. You can specify more than one DNS address and the search parameters
that specify the order in which they should be used.
43. On a very small network, you can use a static file named HOSTS to translate host names
to IP addresses in place of DNS.
44. On a very small network that only uses Windows-based hosts, you can use a static file
named LMHOSTS to translate NetBIOS names to IP addresses in place of WINS.
45. On a very small TCP/IP network employing any type of hosts (UNIX, Linux, Windows,
etc.), you can use HOSTS files--text files that map host names to IP addresses.
46. WINS provides name resolution for Microsoft networks. If your network uses WINS for
name resolution, your computer needs to be configured with the IP address of a WINS
server. (The IP address of a secondary WINS server can also be specified.)
47. Name resolution is merely the process of translating user-friendly computer names to IP
addresses.

Managing, Securing, and Troubleshooting Servers and Client Computers
48. Hardware should be verified as being on the Hardware Compatibility List (HCL) before
being installed.
49. When you accept an unsigned driver, the System log records a warning entry showing all
files that are being added.
50. By default, a system always looks for a driver signature; this feature is known as System
File Protection. The driver signature is ignored only when the user is using one of the
following programs: HOTFIX.EXE, UPDATE.EXE, Windows Update, and WINNT32.EXE.
These files are needed to install/repair all or portions of the operating system; thus, the
driver signature is ignored for them.
51. Two command-line utilities can be used with driver signatures: SIGVERIF.EXE (File
Signature Verification), and SFC.EXE (System File Checker).
52. SIGVERIF.EXE looks for files that are not digitally signed. You can also customize the
verification options. By default, signature verification search results go to the log file
SIGVERIF.TXT, and you are notified when unsigned files are found during searches.
53. The purpose of the SFC.EXE utility is to keep the operating system itself alive and well.
SFC.EXE is used to automatically verify system files after a reboot to see if they were
changed to unprotected copies. If an unprotected file is found, it is overwritten by a stored
copy of the system file from %systemroot%\system32\dllcache. (%systemroot% is the
folder into which the operating system was installed.)
54. Hardware devices use drivers to communicate. With the release of new sets of files, you
can change drivers, fix related problems, or add functionality. Windows 2000 offers the
ability to update device drivers in a very simple manner.
55. Windows Update requires a connection to the Internet and provides a single point of
reference for all operating system-related updates and additional features. The choice to
initialize the update appears on the Start menu.
56. If, when you boot, Windows 2000 will not come all the way up (it hangs or is otherwise
corrupt), you can often solve the problem by booting into Safe Mode. Safe Mode is a
concept borrowed from Windows 95 wherein you can bring up a part of the operating
system by bypassing the settings, drivers, or parameters that may be causing trouble
during a normal boot. The goal of Safe Mode is to provide an interface with which you are
able to fix the problems that occur during a normal boot and then reboot in normal mode.
57. To access Safe Mode, press F8 when the operating system menu is displayed during the
boot process.
58. The Recovery Console is a command-line utility used for troubleshooting. From it, you
can format drives, stop and start services, and interact with files. The latter is extremely
important because many boot/command-line utilities bring you to a position in which you
can interact with files stored on FAT or FAT32, but not NTFS. The Recovery Console can
work with files stored on all three of the file systems. The Recovery Console is not
installed on a system by default.
59. A "parallel installation" is any machine that has two versions of the operating system
loaded on it.
60. The primary tool for gathering usage information in Windows 2000 is the Performance
tool located in the Administrative Tools folder of Control Panel. The Performance tool is

divided into the following two sections: System Monitor and Performance Logs and
Alerts.
61. Upgrades to the core of Windows 2000 come in the form of service packs. Each service
pack contains patches and fixes to operating system components needing such, as well
as additional features. A service pack is a self-running program that modifies your
operating system.
Configuring, Managing, Securing, and Troubleshooting Active Directory Organizational
Units and Group Policy
62. The creation of user and group objects in Active Directory is accomplished--assuming the
appropriate permissions have been granted--via the Active Directory Users and Groups
MMC snap-in. "Appropriate permissions" generally means that you are a member of the
Administrators group, although members of the Enterprise Admins, Domain Admins, or
Account Operators groups can also create user and group objects.
63. When adding a group, you must choose the type of group that it will be. The group can
be either a security group or a distribution group, and can fall into the category of local,
global, or universal. Security groups exist solely to control access to resources, whereas
distribution groups exist for e-mail distribution. Local groups and global groups have
existed since Windows NT and define how wide ranging the group will be. Universal
groups are stored in the global catalog server and, therefore, are available anywhere
within the forest.
64. For every container, you can check the "Allow inheritable permissions from parent to
propagate to this object" check box and have the permissions that are assigned to it filter
down to all containers and non-containers beneath it.
65. Windows 2000 employs a multi-master model (versus the older, domain-based model of
Windows NT 4.0), and changes can be made at any domain controller.
66. Replication is done via SMTP, IP, or RPC-- depending on the type of replication. RPC
(which depends on IP) is used for replication traffic within a site, and the data it sends is
uncompressed. When the data is sent between sites, however, it is always compressed.
67. RPC is synchronous, whereas SMTP (used for replication traffic over WAN links) is
asynchronous. Site links can use IP (for higher-speed connections) or SMTP (for slower-
speed connections). The Knowledge Consistency Checker (KCC) is responsible for
generating the replication information within a forest; it runs on each domain controller
automatically.
68. Software can be assigned to either users or computers, but can be published only to
users.
69. Group Policies can be applied at any level of the network structure via the Group Policy
tab. Group Policies replace, and are a superset of, the System Policies, which existed in
previous incarnations of the operating system. Group Policies work with Windows 2000,
but not with lower-level operating systems, which still expect System Policies.
70. In addition to the site, domain, and OU, every Windows 2000 computer can optionally
have one local policy assigned to it.
71. There are two primary divisions of a policy are Computer Configuration and User
Configuration. Settings configured under Computer Configuration apply to the computer,
regardless of who is using it. Conversely, the settings configured under User
Configuration apply only if the specified user is logged on.

72. Group Policies can be implemented at any location within the realm of network
possibilities--Site, Domain, or OU--and they operate in that order (remember SDOU). If
more than one policy is applied, one can overwrite the other.
73. The Local Policies folder contains three subfolders: Audit Policy, User Rights
Assignment, and Security Options.
74. The default setting for each is Not Defined, but typical options are Enabled and Disabled.
If the option requires a value (such as Rename Administrator Account), the dialog box
asks for the new value.
Configuring, Securing, and Troubleshooting Remote Access
75. A virtual private network (VPN) is an extension of the physical network. Rather than
restricting the network to local cabling, it uses a public network (i.e. the Internet) as a
segment backbone
76. Security is added to the VPN via the use of PPTP (Point-to-Point Tunneling Protocol) or
L2TP (Layer 2 Tunneling Protocol). PPTP uses Microsoft Point-to-Point Encryption for
data encryption, whereas L2TP uses IPSec for data encryption, authentication, and
integrity.
77. By default, users are denied access to dial-up, but you can grant access based on user
account or group membership.
78. The RRAS (Routing and Remote Access Server) Setup Wizard allows you to define input
and output filters for the VPN server. By default, port 1723 is used for PPTP and port
1701 is used for L2TP.
79. By default, the authentication provider is Windows authentication, but it can be changed
to RADIUS authentication by using Internet Authentication Service (IAS). Kerberos v5 is
Windows 2000's default authentication scheme.
80. Authentication can be accomplished through the use of the following (which can be used
in conjunction with one another):
� CHAP (Challenge Handshake Authentication Protocol)
� EAP (Extensible Authentication Protocol)
� MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)--versions 1 and
2
� PAP (Password Authentication Protocol)
� SPAP (Shiva Password Authentication Protocol)
81. CHAP authentication is one-step above PAP in that it does not use clear-text passwords.
82. EAP (Extensible Authentication Protocol) has the client and the server negotiate the
protocol that will be used, in much the same way that networking protocols are
determined. Possible choices include one-time passwords, username/password
combinations, or access tokens.
83. MS-CHAP (Microsoft Challenge Handshake Authentication Protocol) requires the client to
be using a Microsoft operating system (version 2), or a small handful of other compatible
operating systems (version 1).
84. PAP (Password Authentication Protocol) uses a plain-text password authentication
method and should only be used if the clients you support cannot handle encryption.

85. SPAP (Shiva Password Authentication Protocol), which is a shade above PAP, provides
backward-compatibility but is not favored for new installations.
86. By default, the Authenticated Users group has only Enroll and Read Configuration
permissions.
87. IAS (Internet Authentication Service) can be used to enforce (through policies) issues
such as: RADIUS clients allowed, incoming phone numbers to accept, the type of media
used to establish the connection, user membership in security groups, and the time of
allowed access (day, hour, etc.).
88. IAS is used for centralized administration and to enforce access policies. It works with
PAP, CHAP, MS-CHAP, and EAP.
89. IAS is useful for centralized auditing, scaling systems for growing demand, monitoring
usage remotely, and working with a graphical interface through an MMC snap-in.
90. Utilizing NAT, only one machine (the NAT) needs to have a valid IP address for the
Internet; all the internal clients can have private addresses (10.0.0.0 for Class A,
172.16.0.0. for Class B, 192.168 for Class C).
91. Whereas ICS (Internet Connection Sharing) is intended for small networks, NAT is for
large networks concerned with conserving IP addresses and/or security.
92. NAT editors included with Windows 2000 are: FTP, ICMP, PPTP, and NetBIOS over
TCP/IP.
93. Configuration of NAT is done through the Routing and Remote Access MMC snap-in,
meaning that RRAS must be activated before NAT can be employed.
94. NAT interfaces define connection properties for network address translation. They define
what constitutes the internal network and what constitutes the external network.
95. NAT translates between two different networks, allowing you to have a private scope
internally and still communicate with the Internet.
96. NAT will not run on Windows 2000 Professional (requiring Windows 2000 Server or
Windows 2000 Advanced Server). ICS will run on all three platforms.
97. NAT works by having at least two different IP addresses: a valid Internet address (it can
even support more than one) and an internal network address.
98. The DHCP Allocator in NAT supports only one scope. If you need more than one scope,
you must use true DHCP, not NAT's Allocator feature.
99. The properties of the NAT interface allow you to map special ports and add reserved
addresses and address pools.
100.
A number of features within ICS are not available in the full-blown NAT:
Directplay Proxy (for playing games across a router), H.323 Proxy (for Microsoft
NetMeeting Calls), and LDAP Proxy (to register with an Internet Locater Service server
for NetMeeting).
101.
When installed, ICS sets the IP address of the LAN interface to 192.168.0.1. It
also installs AutoDHCP, DNS Proxy, and a WAN interface (modem) for a demand-dial
router to your ISP.

Document Outline

101 Tips for Exam 70-218:Managing a Microsoft Windows 2000 Network Environment

MICROSOFT/MCSE

MCSE INTRODUCTION

MCSE BOOT CAMPS

FREE MCSE PRACTICE

MCSE BOOKS

Document Outline

Document Outline