Hi Guys....

 

I took NTSE exam (70-068) on 25 Nov 1998 and wrote a 921 score. I thought this was the thoughest exam ever, as many people say so, but I found out that it's the easiest one I have taken (out of the core exams). So far I still consider NE is the hardest one for me.

 

I used MCSE TestPrep: Core Exams from QUE and various braindumps site.

Many postings will give you hints about the questions which by any chance they will appear again in you exam. Do not fully trust the answers they've given you. Try to find your own or compare the answer from various sites. If many people say the same thing, that's probably the best answer.

In summary, groups and domains are the key to this exam; if you really understand these concepts in depth you can enter the exam feeling confident. I had 17 Qs re. Trusts and permissions.

Hint: if you're desperate, just take the answer as it is. If you find the same questions in your exam, at least you can eliminate the wrong answers.

The note you're going to read is still a mess. I tried to edit it, still, you'll find some overlapping topics and italic words which mean I had the questions relating to these words/sentences.

Hint: pay more attention on the questions here and check your own notes.

 

 

 

NTSE Note

 

 

Planning

 

Understand the four domain models (single, single master, multiple master and complete trust).

Know the benefits and deficiencies of each and when they should be implemented.

 

Know which way a trust relationship operates (if A trusts B then B's accounts may be used to access resources in domain A).

 

Understand that trust relationships are not transitive (i.e. if A trusts B and B trusts C that A does

not trust C automatically).

 

Remember which sorts of servers can be moved between domains and which cannot.

 

Understand that member servers do not participate in a domain in the same way as a domain controller.

 

Know that local groups are not visible across a trust relationship, but global groups are visible.

 

Know that global groups can be placed into local groups in a different domain to grant the users contained in the group access to a resource or privilege.

 

Each domain database can store three types of accounts: user accounts, computer accounts and group accounts.

 

Each user account occupies 1 KB (1024 Bytes),

Each computer account uses 0.5 KB (512 Bytes),

Each global group account uses 0.5 KB (512 Bytes) + 12 Bytes/user

Each local group account uses 0.5 KB (512 Bytes) + 36 Bytes/user

 

The maximum recommend size of a domain database is 40 MB. Therefore a 40 MB domain database can support 26,000 user accounts (26 MB), 26,000 computer accounts (13 MB), and 250 group accounts (1 MB).

 

Trust Relationship

 

Although small organizations can store accounts and resources in a single domain, large organizations typically establish multiple domains. With multiple domains, accounts are usually stored in one domain and resources in another domain or domains.

 

Windows NT Server Directory Services provide security across multiple domains through trust relationships. A trust relationship is a link that combines two domains into one administrative unit that can authorize access to resources on both domains.

 

There are two types of trust relationships:

 

In a one-way trust relationship, one domain trusts the users in the other domain to use its resources. More specifically, one domain trusts the domain controllers in the other domain to validate user accounts to use its resources. The resources that become available are in the trusting domain, and the accounts that can use them are in the trusted domain. However, if user accounts located in the trusting domain need to use resources located in the trusted domain, that situation requires a two-way trust relationship.

 

A two-way trust relationship is two one-way trusts: each domain trusts user accounts in the other domain. Users can log on from computers in either domain to the domain that contains their account. Each domain can have both accounts and resources. Global user accounts and global groups can be used from either domain to grant rights and permissions to resources in either domain. In other words, both domains are trusted domains.

 

Note: Using resources located on any domain, trusting or otherwise, is always subject to permissions associated with the resources.

 

By grouping computers into domains, network administrators and users benefit in two major ways:

 

Servers in a domain form a single administrative unit, sharing security and user account information, thereby saving administrators and users time and effort.

 

Users browsing the network for available resources see the network grouped into domains rather than as individual servers and printers on the whole network. (This benefit of domains is identical to the Microsoft Windows for Workgroups and Windows 95 concept of a workgroup.)

 

Trust relationships move the convenience of centralized administration from the domain level to the network level. By establishing trust relationships between the domains on your network, you enable user accounts and global groups to be used in domains other than the domain where these accounts are located. You need to create each user account only once, and because directory services enable synchronization of all security data in the directory database, the account can be given access to any computer on your network ¾ not just the computers in one domain.

 

Trust relationships are created only between Windows NT Server domains. When administering member servers, computers running Windows NT Workstation, or a LAN Manager 2.x domain, the Trust Relationships command is unavailable.

 

Note The arrows in diagrams showing trust relationships always point from the resources that can be used to the accounts that are trusted to use them.

 

One-way trust relationship

 

In the preceding diagram, user accounts from the Sales domain can use resources in the Production domain. The effect of this trust is that users from Sales can log on to their domain and receive access to servers in the Production domain, and they can do so from any workstation in either domain. Users from Sales can be added to local groups in the Production domain. Users in Production, however, cannot belong to local groups in the Sales domain, log on to the Production domain from Sales workstations, nor connect to servers in the Sales domain.

 

One common scenario for a one-way trust is for a domain containing only accounts to be trusted by one or more resource domains. That trust configuration results in all accounts being trusted to use all resources.

 

Effects of Computer Accounts on Domain Administration

 

Computer accounts and the secure channels they provide enable administrators to manage workstations and member servers remotely. They also affect the relationship between a workstation and domain servers and between primary and backup domain controllers:

 

 

 

 

User Authentication

 

On a computer running Windows NT Workstation or a member server running Windows NT Server, the Net Logon service processes logon requests for the local computer. On a domain controller, the Net Logon service processes logon requests for the domain.

 

The Net Logon service initiates the following processes: discovery, secure channel setup, and pass-through authentication.

 

 

 

 

Pass-through Authentication

 

Pass-through authentication occurs in the following cases:

 

At interactive logon when a user logs on to a computer running Windows NT Workstation or a computer running Windows NT Server and the name in the Domain box in the Logon Information dialog box is not the computer name.

 

The logon computer sends the logon request to a domain controller in the domain to which the computer account belongs. The controller first checks the domain name. If the domain name is the domain to which the controller belongs, the controller authenticates the logon credentials against its directory database and passes the account identification information back to the logon computer, allowing the user to connect to resources on both the logon computer and the domain.

 

Note: If the logon computer is not running Windows NT Workstation or Windows NT Server, domain controller authentication has no effect on the user's ability to use resources on the logon computer.

 

If the domain name is not the domain the domain controller belongs to, the domain controller checks to see if the domain is a trusted domain. If so, the domain controller passes the logon request through to a domain controller in the trusted domain. That domain controller authenticates the account user name and password against the domain directory database and passes the account identification information back to the initial domain controller, which sends it back to the logon computer.

 

If the name in the logon credentials is not the computer name, the name of the domain the computer belongs to, or the name of a domain trusted by the computer's domain, the credentials are considered to belong to an untrusted domain and the interactive logon fails.

 

At interactive logon when the computer being logged on to is a domain controller but the name in the Domain box is not the domain to which the controller belongs.

 

The controller checks the domain name to see if it is a trusted domain. (The domain controller does not check for computer name because its directory database contains only domain accounts). If the domain is a trusted domain, the controller passes the logon information to a domain controller in the trusted domain for authentication. If the trusted domain controller authenticates the account, the logon information is passed back to the initial domain controller, and the user is logged on. If the account is not authenticated (is not defined in the trusted domain directory database), the logon fails.

 

At remote logon (connecting to a computer over the network).

 

If the user is logged on to a computer or domain account and then tries to make a network connection to another computer, pass-through authentication proceeds as in interactive logon. The credentials used at interactive logon are used for pass-through authentication unless the user overrides those credentials by typing a different domain or computer name and user name in the Connect As box in the Map Network Drive dialog box.

 

If the user tries to make a network connection to a computer in an untrusted domain, the logon proceeds as if the user were connecting to an account on the remote computer. The computer being connected to authenticates the logon credentials against its directory database. If the account is not defined in the directory database but the Guest account is enabled on the computer being connected to, and if the Guest account has no password set, the user is logged on with guest privileges. If the Guest account is not enabled, the logon fails.

 

If the computer being connected to is a BDC in the domain where the user account is defined, but the BDC fails to authenticate the user's password (for example, the password has changed but the BDC is not synchronized at the time the user logs on), the BDC passes the logon request through to the PDC in the same domain.

 

Group Accounts

 

There can be two types of group accounts:

 

 

 

When working with groups, keep the following in mind:

 

Global groups are the most efficient way to add users to local groups.

 

Global groups can be added to local groups in the same domain, trusting domains, or to computers running Windows NT Workstation or Windows NT Server as a member server in the same or a trusting domain.

 

Although a global group can be granted permissions and rights in its own domain, it is best to grant rights and permissions to local groups and use global groups to add user accounts from account domains (trusted) to resource domains (trusting).

 

Built-in Guest Account

 

The Guest account is used for logons by people who do not have an actual account on the computer or domain or in any of the domains trusted by the computer's domain. A user whose account is disabled (but not deleted) can also use the Guest account. The Guest account does not require a password and can be used for two types of guest logons: local guest logons and network guest logons. You can configure each domain and computer to allow both types of guest logon, only one type, or neither type. The Guest account is disabled by default when Windows NT Server or Windows NT Workstation is installed, but you can re-enable it.

 

You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests group, which allows a user to log on to a workstation or member server (the right to log on locally) only. Rights other than this one, as well as any permissions, must be granted to the Guests local group by an Administrator or Account Operator.

 

Guests have no predefined rights on a domain controller.

 

A local guest logon takes effect when a user logs on interactively at a computer running Windows NT Workstation or at a member server running Windows NT Server and specifies Guest as the user name in the Logon Information dialog box. Because the Guest account on these computers (but not on domain controllers) has the built-in right to log on locally, the guest user can then work at that computer (subject to the rights and permissions you have granted the Guest account) and use it to access the network.

 

A network guest logon takes effect at a computer that uses the Guest account when a user has logged on interactively to either a domain account or a local computer account (as in the case of a workgroup member) and tries to connect to the computer that uses the Guest account:

 

 

In the case of a workgroup, the computer name is treated as a domain name by the computer being accessed. The computer being connected to might not recognize the user's account for any of the following reasons:

 

 

 

 

A network guest logon is approved only if the Guest account of the destination computer is enabled and has no password set. The guest user then has all rights, permissions, and group memberships on the computer that are granted to the Guest account, even though the guest user has not specified Guest as his or her user name.

 

Tip To allow local guest logons but not network guest logons, enable the Guest account, but revoke its Access This Computer From Network user right in User Manager for Domains.

 

To allow network guest logons but not local guest logons, enable the Guest account, and revoke its Log On Locally user right. (Be sure Guest has the Access This Computer From Network right).

 

 

Installation and Configuration

 

To ensure that a server does not become a browse master change the registry entry

 

MaintainServerList = No.

 

Creating Printing Pools

 

When you create a printer, you can associate it with more than one printing device in order to form a printing pool. A printing pool consists of two or more similar printing devices associated with one printer name. To set up a pool, you create a printer and assign it as many output ports as you have identical printing devices. Printing pools have the following characteristics:

 

 

 

 

You can use Ntdetect.Chk in place of Ntdectect.com if Ntdetect.com fails to detect all hardware devices. Ntdetect.chk will display information on the screen as it detects hardware to help isolate the problem.

 

 

Monitoring and Optimization

 

Be able to identify a server problem through Performance Monitor counters (e.g. high processor and disk loads usually indicates excessive paging as a result of insufficient memory).

 

Know the common PM counters for testing high processor, disk and network usage, etc. Know how to graph the total processor load in an SMP system.

 

To view network traffic generated from a particular machine, you can either use a capture filter or a display filter. Capture filters can be configured to capture network packet types (NetBIOS, SMB, etc.) or network frames addressed to or from a given machine. To capture all network frames being sent to KILROY, the line INCLUDE ANY --> KILROY could be coded in the capture filter. To capture all network frames being sent from KILROY, the line INCLUDE ANY <-- KILROY could be coded in the capture filter. Display filters are used to filter information once it has already been captured into the Network Monitor capture buffer.

 

The correct syntax for filtering by a specific protocol property on your computer would be a line specifying the type of frame (SMB), a colon, the type of property (Command), two equals signs and the frame type property for directory creation (Make Directory). The "<-->" symbol is used for address capturing.

 

Four server memory settings are available:

 

Allows memory to be allocated for up to approximately 10 network connections.

 

Provides memory for up to approximately 64 connections (default).

 

Allocates maximum memory for file sharing operations, eg MS Access application.

 

Optimizes server memory for distributed applications that do their own memory caching, such as Microsoft SQL Server, or optimizes DCs to increase the logon validation

 

Pulse:

The interval after which the Netlogon service looks for new changes to the database and sends a pulse (change notice) to the backup domain controllers. The default is 5 minutes.

 

 

PulseMaximum:

The interval after which the NetLogon service will send a pulse to the backup domain to verify the synchronization level, whether or not there are new changes to the database. The default is 2 hours.

 

 

PulseConcurrency:

The number of backup domain controllers which pulses are sent concurrently. A higher value increases the amount or network bandwidth required at each synchronization. The default is 20.

 

PulseTimeout1

The amount of thime that a PDC will wait for a BDC to respond to a pulse. The default is 5 seconds

 

PulseTimeout2

The amount of time that a PDC will wait for a BDC to complete a partial synchronization. The default is 5 minutes.

 

ChangeLogSize

PDC sends only the parts of the DS database that have changed (written down in Change log). Each change is marked with a version number. When it is full, the log will be overwritten from the beginning. If the BDC sees the last version number it has received has been overwritten, it will request a full synchronization. The default is 64 KB.

 

The above parameters are set up on the PDC registry.

 

ReplicationGoverner:

Limits the amount of bandwidth the domain synchronization process can consume. Forces the NetLogon service to sleep between calls and use smaller buffers to allow other network traffic to pass. The default (128K buffer) uses up to 100% of available bandwidth until synchronization is complete.

This parameter is set up on the BDC registry.

 

The Processor object type will have multiple instances if a system has multiple processors.

 

 

Managing Resources

 

Know how to set up multiple print queues to one or more printers in order to optimize their use.

 

To give a user in one domain access to a folder in a FAT partition in another domain, create a trust where the resource domain is the trusting domain and share the folder with the appropriate permissions.

 

When logging on remotely, a user's level of access can be determined by first determining his least restrictive level of access from NTFS, and his least restrictive level of access on the share he is using. The most restrictive level of access would then be determined using these two access levels. This would be the level of permission a user has for accessing an NTFS folder via a share.

 

To successfully merge new group policy files you created on your workstation with the existing policy files in the NTConfig.Pol file on the PDC, you need to copy the group policies from your workstation system policy file and paste these policies into the system policy file on the PDC (\Netlogon\NTConfig.Pol). Policies cannot be copied directly to a registry on another machine.

 

Know where policies are stored and how to select which policies take precedence in conflict between two policies.

 

 

To enable a uniform policy (.pol) for all network computers running Windows NT Server, Windows NT Workstation, you save this file to the Netlogon folder in the system root folder of the primary domain controller: \\PDCservername\Netlogon.

 

Local Groups can contain Local Users, Global groups from the local and trusted domains and Users from trusted domains. Group permissions are cumulative.

In a master domain model, a users account in a trusting domain will automatically be a member of the Master\Domain Users global group and will have access to resources in any domain for which the Master\Domain Users global group has been granted permissions.

 

Roaming user profiles can be implemented in three ways:

 

 

 

 

In User Manager for Domains, you can assign a server location for user profiles. If you enter a user profile path into a user's domain account, a copy of the user's local user profile is saved both locally and in the user profile path location when the user logs off. The next time that user logs on, the user profile in the user profile path location is compared to the copy in the local user profile folder and the most recent copy of the user profile is opened. The local user profile becomes a roaming user profile by virtue of the centralized domain location. It is available wherever the user logs on, providing the server is available.

 

When multiple profiles apply to one user, a user profile for a specific user takes precedence over a user profile for a group that the user is a member of. Similarly, if no specific user profile has been defined for the user, a group profile for a group that includes the user is used, if available, before the Default User profile is used. If a user is a member of multiple groups, profiles are based upon Group Order.

 

 

Connectivity

 

Understand the various TCP/IP services such as DNS, DHCP, WINS.

 

Know the four routing services in Windows NT 4.0: RIP for TCP/IP, RIP for IPX, the SAP Relay Agent and the DHCP/BOOTP Relay Agent. Understand what each are used for.

 

Learn when Gateway (Client) Services for NetWare are required and when the IPX protocol is sufficient.

 

A HOSTS file provides mappings of remote host names to IP addresses.

 

A LMHOSTS file provides mappings of IP addresses to NetBIOS names.

 

A DNS Name server is responsible for resolving IP addresses to fully qualified domain names. A HOSTS file can be regarded as a local DNS equivalent.

 

A DCHP (Dynamic Host Configuration Protocol) server is responsible for dynamically assigning and maintaining IP addresses for DCHP clients located on a local subnet.

 

A WINS server is used to resolve NetBIOS names to computer IP addresses in a routed network environment. A LMHOST file can be regarded as a local WINS equivalent.

 

If your network consists of two subnets and you want to use Windows Internet Naming Service (WINS) to resolve NetBIOS names to IP addresses on both subnets, the best way to install and configure WINS on your network to minimize network traffic and provide fault tolerance between the subnets of your network is to install a WINS server on each subnet, computers on each of the subnets can perform name resolution locally, thus decreasing the amount of network traffic from name resolution between subnets. By making each WINS server a push-pull partner of the other WINS server, the WINS database of each WINS server can be replicated to the other WINS server at regular intervals. This will allow each WINS server to provide local name resolution for all computer NetBIOS names in either subnet. It will also provide fault tolerance for the WINS database. Although installing a WINS proxy agent on one of the subnets may decrease network traffic, it will not provide fault tolerance for the WINS database. WINS servers cannot be multihomed.

 

WINS proxy agents are normally installed in a routed environment to provide faster name resolution to non-WINS-enabled clients on a subnet. WINS proxy agents intercept name resolution requests sent as b-node broadcasts from non-WINS-enabled clients and provides those clients with corresponding IP addresses. WINS proxy agents provide name resolution by either forwarding the intercepted request onto the WINS server or by answering the request directly using locally cached information. The WINS proxy agent's ability to provide name resolution using its local cache reduces the number of name resolution requests made to the WINS server. B-node broadcasts cannot be sent over a router.

 

There are two domains in your company, joined by a Windows NT server acting as a router, both domains are using TCP/IP as their communication protocol and one domain currently contains a DHCP server that manages IP addressing. To have the domain without the DHCP server domain to have its IP addressing managed by domain with the DHCP server, DHCP Relay Agent must be installed on the Windows NT server router.

 

Routing Information Protocol for Internet Protocol (RIP for IP) provides a dynamic approach to routing information across TCP/IP subnets. With RIP for IP installed on each router, IP datagrams can be sent from router to router based upon dynamic tables maintained by each router. RIP for IP reduces administrative overhead but may increase network traffic in large networks.

 

User Datagram Protocol (UDP) provides connectionless oriented delivery.

 

The Address Resolution Protocol (ARP) resolves physical addresses to IP addresses

 

To maintain web pages for five new sites on your company's Intranet on one IIS server, you must assign each site's IP address to the network adapter card of the IIS server. You must create separate WWW folders for each site and assign the correct IP address for each site to each of these folders. A DNS server needs to be installed to provide DNS name resolution for the five new URL zones on your Intranet. A WINS server should also be installed and the DNS server should be configured to request NetBIOS name and IP address updates directly from the WINS server. This will reduce the administrative burden of maintaining entries on the DNS server for any new virtual servers. A DHCP server cannot be used to assign or manage multiple addresses on a single network adapter card.

 

To run the Migration Tool and to access NetWare servers, the Windows NT Server computer must be running the NWLink IPX/SPX Compatible Transport and the Gateway Service for NetWare.

 

By default, when you transfer users from NetWare to Windows NT Server, users with names that already exist on the Windows NT Server domain are not transferred. Conflicts are recorded in the Error.log file.

 

A mapping file allows the greatest amount of control when migrating NetWare user accounts to a Windows NT domain. Mapping files can be used to migrate selected user accounts from NetWare servers, to standardize migrated user account names to match existing domain conventions, and to set passwords of migrated user accounts to unique user-supplied strings. Since NetWare passwords cannot be read by the Migration Tool, a mapping file must be used to ensure that migrated user accounts have passwords in the Windows NT domain that are the same as their NetWare user account passwords. Mapping files are also useful when performing large migrations involving many NetWare servers that contain multiple versions of the same user account names.

 

When File and Print Services for NetWare are installed on the Windows NT server (server solution), NetWare clients will be able to access files on the Windows NT server as if they were located on a NetWare server. When a Microsoft redirector is installed on each NetWare client machine (client solution), each NetWare client will generate requests to the Windows NT server for access to the remote files. The Windows NT server will process these requests and allow each client to access the files. Client Service for NetWare and Gateway Service for NetWare allow Windows NT client computers to directly access resources on NetWare servers.

 

Client Service for NetWare is designed for Windows NT workstations that require a direct link to NetWare servers.

 

Gateway Service for NetWare is used to allow Windows NT servers to map a drive to a NetWare server thus providing access to NetWare server resources for Windows NT workstations (via a gateway).

 

Windows NT server requires the NWLink protocol to allow NetWare clients and servers to access client-server applications running on it.

 

 

Troubleshooting

 

Know that the registry can be restored through the Emergency Repair Disk and that the ERD is a good first recovery attempt in a serious system problem where Last Known Good is not an option.

 

Remember that stripe sets with parity only protect against a single disk failure, and know how to recover from failure.

 

The Emergency Repair Disk can verify the NT system files, inspect the system start-up environment and inspect the boot sector.

 

If the /s switch is used with Rdisk.Exe, then the Emergency Repair Disk program will backup user accounts and file security. To restore the user account database, start the computer with the setup disks, and select the Repair option when prompted.

 

When you run the emergency repair process to verify Windows NT system files, Windows NT will check the Setup.Log file on the Emergency Repair Disk to determine which files are installed during Windows NT Setup. Each installed file will also have a checksum. The repair process uses the checksums to verify the integrity of installed files.

 

System and boot partitions cannot be part of a volume set or a stripe set. Only a mirror set can include the system or boot partition. To recover from losing the system partition, run the NT setup program.

 

Crashdump routine writes the content of the memory to the pagefile. Dumpexam.Exe and Imagehpl.dll are used to view the contents of a memory dump file and export it to a text file. This information can be used to determine the cause of a STOP error. Configure the startup and location of a memory dump file in System Properties. This utility can only be used for STOP error 0 x 0000000A (IRQL_NOT_LESS_OR_EQUAL) and 0 x 0000001E (KMODE_EXCEPTION_NOT_HANDLED).

Dumpchk.exe is only used to verify the creation of a Memory Dump File. Dumpflop.exe is used to compress the file to the floppy disks.

 

When the STOP error occurs, the system gives the character mode stop screen. There are 5 main sections on the screen:

  1. Debug port status indikator (for serial port)
  2. Bug check information (displays the actual error code)
  3. Driver information
  4. Kernel build number and stack dump (a dump of the last instructions that were executed)
  5. Debug port information (baud rate and other COM settings for the debug port in use)

 

Kernel Debugger

 

Setting up the debugging session:

  1. Set up serial connection
  2. Configure the problematic (target) computer --> modify [OS] section in BOOT.INI
  3. Place the symbol tree on the diagnostic (host) computer
  4. Restart the target computer in debugging mode
  5. Start the debugger on the host computer --> run the program for the platform of the target computer

 

You can edit the Boot.Ini file and add the /sos switch to the end of the Windows NT entries in the [Operating Systems] section of the Boot.Ini file to display all driver names while they are being loaded.

 

 

To reprint a document jammed in a printer, select Restart from the document menu in the Printer folder.

 

====================================================

* Scenario: You want to give ONLY the sales group remote access (mandatory) and require

data encryption A encryption A ND password encryption.

 

Proposed Solution: Configure only sales to have remote access through usrmgr, allow any

authentication method, require passwords to be changed every 40 days.

 

* Same scenario as above.

 

Proposed Solution. Configure only sales to have access thru usmgr, require encrypted

authentication, require passwords to be changed every 40 days, implement hardware based

security between the modems and the server

 

* Scenario. You have 2 identical printer devices pooled. Accounting is always hogging the

printer with 500 page docs that require alot of processing. You want Managers to always print

first and have both printers in the pool available to them. You want Sales to also print to both

printers but their jobs come after Managers. You want Accounting to print last and only to one

of the printers.

 

Proposed Solution: Configure a printer pool. Assign the Managers highest priority, followed by Sales, followed by Accoutants. Config Managers/Sales to print to both printers, Accountants to only 1. Allow Sales/Mangers to print after the first page is spooled, Accountants only print after last page is spooled. Remove everyone permission to print (this line is really confusing since you remove everyone but add the specific groups the appropriate permissions).

 

* Same Scenario as above, similar solution. Only major difference was that system was setup so Accounting group would print in off-peak hours.

 

* You're the admin of master domain and u want to create a global group that has right to backup all DC (mandatory) and member server/Workstations (optional).

 

Proposed Solution: Create a global group called PrintGlobal in master, put them into backup ops in resource domain. (This does not fulfill the Optional)

 

* Same Scenario as above: Proposed Solution was different. Create a global group called BackUpGlobal in Master, create BackUpLocal in each resource domain. Assign BackUpGlobal to BackUpLocal, assign BackUpLocal backup/restore rights. Also, put BackUpGlobal groups in all member server/workstations local backup groups.

 

* Your designing several server roles. You have 5000 users accessing a SQL server. How would you config this server?

 

(Here you have a graphic with four options...)

 

1.Minimize the memory used

2. Balanced

3. Maximize Throughput for File sharing

4. Maximize Throughput for Network access

 

* Same as above, only this time with MS Access application

 

* You have configured a server/printer with the DLC protocol, after you reboot, you can't print why? Something about someone connected to the printer with a continuous connection

 

* You have a custom apps designed for use on NT workstations. How do you create a .pol file so your users can access them?

 

-cut/paste from existing registry

-create a template

-???

-????

(can't remember this one too well)

 

* Know that trusts are not transitory. ie: A trusts B and B trusts C does NOT mean A trusts C.

 

* Had a couple question where it would show a graphic with multiple domains. It would list the requirements (centralized accounts, what the WAN speed is between them, where the DHCP/WINS server is, etc.) then you had to choose the answer that matched the question. Pretty simple as long as you read each paragraph.

 

* Lots of these questions made you decide what is the greatest single improvement u could do, i.e. place a BDC on either side of a slow link to eliminate Netlogon traffic over the WAN or would that cause too much synchronization traffic.

 

* Make sure you know the nuances of the Replication Governor, and the pulseconcurrency, pulse, pulsemaximum stuff.

 

* Had one where Mary was a member of the Sales group and the SalesManagers group. She wanted access to the a file in a trusted domain but when she tried to get to it she was denied. They present you with a graphic showing what groups had what permissions to the files. Basically you had to point out that her No Access permission from her membership in the Sales group was overiding her Read permission in the SalesManager group.

 

* Know you Share permissions and your NTFS permissions and how they interact. (Dig out that NT4.0 Core manual!)

 

* You create a .pol file for everyone to use, where to you put it?

 

---users home dir

---Netlogon share

---member server

---etc

 

* How do you designate a pol file as being mandatory? (gift)

 

* How do you simplify the creation of home directories (%username%)

 

* Know the duifference between dumpcheck and dumpexam. I had a question on dumpcheck.

 

* How do you configure the location of a memory dump file?

 

* Scenario where Finance wanted their staff to print cheques but only they had power of them. Not even Administrator should be able to fool around with the print jobs and only the person who created the job should have control.

 

Typical globalgroup/local group thing but local group had to have very specific rights. Had something to do with ownership of files.

 

* You run Performance Monitor to check a drive that is thrashing but when you check the log all counters are at zero. Why? Didn't turn on Diskperf -y

 

* You want to monitor usage on a multi-processor system, what counter should you turn on. System: %_Total Processor

 

* Make sure you know the difference and when to use rdisk, the Emergency Repair Disk, and the Setup Disks. ie: Know what files they each can replace in case of a system drive crash.

 

* You boot up the system and the following message appears. "Could not find \Winnt\ntoskernel." How do you repair this.

 

Copy file from tape back up

Reboot from the setup disks

Use the Emergency Repair Disks

 

* Absolutely nothing on the Registry and Service for Macintosh

 

* You are using Network Monitor to monitor network usage of a TCP/IP network on an NT Workstation. How can you filter only those packets initiated by the workstation? (or something to that effect) The answer was something about filtering by computer address.

 

* You are hosting web pages for 5 different companies on your IIS server. These 5 companies

have 5 different DNS names register to your server. How do you configure IIS to handle it?

 

- bind 5 IP's to the NIC

- map 5 web folders to the IP's

- assign the same IP address to the folders

- ???

 

* There were a few questions on domain planning Investigate how you would plan for a large company that spanned 5+ major cities, where everyone needed access to all domains.

 

* You two sites, London and Mexico City as one domain. Mexico city had the PDC, DHCP, & WINS servers. London had only workstations. London is complaining of slow logons and wickedly slow address and name resolutions (no kidding!)

 

How do you make London as effecient as Mexico City?

I think you have to reinstall NT SV as BDC, put DHCP & WINS in London site to fulfill the required result(s) and optional results.

 

* You have one domain spanning 5 cities with 56K links between them all. How do you fix it so that there is a happy medium.

 

* You are migrating Netware accounts to your NT domain but of course many of the Netware users have multiple user accounts. How do you deal with all these duplicate accounts?

 

- Migrate them all and go back and delete all the duplicates one by one. - Chose OPTIONS, OVERWRITE Duplicate accounts.

 

- Chose which accounts to migrate one by one with User Manager

- ???

 

* You want to migrate, Netware users, computers, files, and permissions to NT. What must be in place.

 

- NWLink ipx/spx

- TCP/IP

- System must be FAT

- System must be NTFS

 

* You have 6 hard drives. The first is your system drive. The other five are part of a fault tolerance implementation of disk stripping with parity.

In a real fluke of bad luck you lose the first two drives of your disk stripe. How do you recover?

 

* You have mirror the system partition. More bad luck strikes and the first drive of the mirror dies. How do you recover?

 

* What do you do if you don't have an emergency repair disk. And of course the machine has crashed.

 

* What do you do if you don't have the three installation boot disks. And of course the machine has crashed (choose 2)

 

* You want to optimize read/write performance. Which should you implement?

- disk mirroring

- disk duplexing

- disk striping with parity

- disk stripping

 

* Study how the guest account affects users in domains and trust relationships.

 

* You are installing NT as a member SV in the CORP domain, when you get the message "Could not

locate Primary Domain Controller for CORP domain." What do you do?

 

- Continue with install then physically connect the computer to the domain and join.

 

* Know that you cannot promote a member server to BDC or PDC and vise versa.

 

* Know that a DC cannot change domains without re-installation.

 

* Know AGLP - Accounts are put into Global groups

 

Global groups are put into Local groups, Local groups are assigned Permissions.

 

* Remember that Local Groups can contain Local Users, Global groups from the local and trusted domains, and Users from trusted domains.

 

* Where do you store a users profile if you want it to be roaming?

 

* How do you recover from losing the system partition?

 

You have 4 servers, 60 users, you want centralized administration of accounts and resources.

Which domain model are we talking about here? (Single domain)

 

_______________________________________________

 

I took the NT Server 4 Enterprise exam this morning; here's what I was asked:

 

- loads loads loads of Trust Qs with Group strategies across trusts

 

- quite a few Qs on NTFS security (permissions)

 

- some nasty scenario Qs (on traffic optimisation)

 

- a couple of performance monitoring Qs

 

- a few Qs on fault tolerance Recovery (eg. how do you recover when 2 drives fail in your RAID5?)

 

- a couple of Qs on Netware Migration

 

- several Qs on Planning (know your domain models inside out; the actual Qs were easy)

 

There was one question on how you configure Control Panel/System to do a memory dump to

disk if NT encounters a STOP error (very easy).

 

_________________________________________________________________

 

Synopsis:

 

Lots of trusts, or more elegantly "trusts out the ying yang."

 

Some WINS and DHCP.

 

Fault tolerance with i.e. striping with parity and two disks fail in stripe set? What do you do?

 

Global and local groups and trust interactions.

 

Scenario questions galore for backup groups and trusts i.e. dhcp and wins, and PDC in one region and nothing in another except wkstns and member server all in one domain . How to meet requirements of less time for logon validation and ip addresses distributed locally, and then some optional requirements i.e. maintain netbios name resolution, etc. Then given a solution like install DHCP on member server and WINS proxy server, and then choose from answers like meets all required objectives and optional objectives, meets all required and one optional, meets required, meets none ot the requirements.

 

Netware migration i.e. What to migrate users, groups, permissions to NT?

 

Do you need both servers running Netbios, TCP/IP, fat partition or NTFS partition. Or what happens when there are duplicate user names and how to get around that during a NW to NT migration.

 

Domain Models - know what to use in different scenarios. Got some weird scenario questions with domain models where you pick the one that meets the criteria, sort of meets it, doesn't meet it, wouldn't work on Satan's network. Tip: Draw the questions out to get a good visualization of the problem.

 

One thing about the scenario questions is that some of them work, but implementation would be funky and administration loathsome.

_______________________________________________________

 

You do need to understand the different domain models pretty well. For example if you have a user in a group in the trusted domain, how can that user access certain items in the trusting domain. Keep in mind the different access permissions between both local and global groups and user rights. I strongly suggest setting up two NT servers somewhere and actually playing around with the different access permissions.

 

Also, understand WANs and their speed performance when transmitting data.

1) 51 problems 1.5 hr. 5~6 problems with scenario, I found that time was a concern(I typically have 0.5 hr extra for all the other exam, for this one, I only had 10 min)

 

2) Don't be Mislead, it is NOT difficult as far as the problem was concerned. With general knowledge of Trust and basic understanding of disk performance, Sam, you will be all right. If you have a good sleep last night, it will be more helpful than reading another book. Mac and Novell problem is minimum. The general knowledge with TCP/IP will be enough( don't spend too much time on DNS, DHCP and WINS etc. and those TCP utility (such as arp icmp netstat..), they are not important.

 

Again have a clear picture of the major stuff will be more helpful in most of the problem.

 

3) The On line book with nt4.0 (2 books) is Very very good for both exams (enterprise and Non-enterprise), except browse through the resource guides(2 books), I didn't Touch any other books( it turns out to be You don't need to be) I did buy couple other books, Master NT server 4.0 by sybex and Professional guide for NT 4.0, but I just didn't feel like I need them.(I set a deadline for myself for each test, so even if I didn't finish reading all the materials, I still go for the exam. Fortunately in the past 1.5 months, I passed all five exams in one shot. I don't mean those material is not good, I mean probably you don't need them if you have limited funding)

 

4)Try to get hold of one TechNet CD (newer than Nov., 1996) If you feel like that you are not clear with one concept, try to do a search and read one or two articles. You don't need those that much, only occasionally.

 

* If you have a server that is hosting multiple domain names, how do you use WINS, IIS, and DNS to resolve the name to an IP.

 

* YOU MUST KNOW TRUSTS .. you will not pass without a FIRM knowledge of trusts. But keep in mind, it takes more than trusts to pass the test, but without 'em you haven't got a chance.

 

The item that helped me the most was the following. HARDWARE -------> PEOPLE I created a diagram of two trusts, one named "HARDWARE" and one named "PEOPLE". I then pointed the arrow at the people and wrote the following sentence below the trust. "The HARDWARE trusts the PEOPLE". I wrote this on my first blank page once the exam began. This one picture made life so much easier. I no longer had to think about the trust interaction. I just referenced my diagram, and applied it to my current problem. This is a good idea ..!!

 

* Remember that a local group cannot span trusts, they want you to fall for that one on most every question.

 

* There were a few questions on domain planning Investigate how you would plan for a large company that spanned 5+ major cities, where everyone needed access to all domains.

 

* How about the problem of having one Domain span all 5 (or 6) cities. Some cities are connected via a fast connection (T1) other cities are connected via a slow connection (56K). How would you place BDC's so that the authentication at any city was reasonable.

 

* I didn't see much on subnetting .. maybe one or two questions on TCP/IP.

 

* a few on NetWare migration (not a whole bunch). Don't spend much time here.

 

* If you have two domains, a user in one domain and resources in the other domain. What should you do to allow the user to connect to the resource in the other domain.

 

* Know how file permissions and share permissions interact to allow a user to use resources on a share.

 

* Know how to recover from a RAID failure.

 

* What do you do if you don't have an emergency repair disk. And of course the machine has crashed.

 

* What do you do if you don't have the three installation boot disks. And of course the machine has crashed.

 

* How to support multiple domain names under IIS, How to configure IIS to allow multiple names, and how do you create the multiple root locations.

 

* Some performance tuning stuff.

 

____________________________________________________

 

You should be very comfortable with trust relationships and the four enterprise models. If you can answer trust relationship questions with ease, you will find yourself well prepared for the exam. You also need to review the following topics:

 

1. print pooling and group priority levels

 

2. NTFS files permissions and what happens when you move and copy files to NTFS and FAT partitions

 

3. understand the abilities of NT's built in groups (local and global) and how they can be utilized in the enterprise model

 

4. review boot failure recovery issues

 

5. what can you do with an NT boot disk and/or recovery disk

 

6. How does RAID5 affect read/write performance and processor?

 

7. Know how to set filters to isolate IP addressing in Net Monitor

 

8. Study how the guest account affects users in domains and trust relationships.

 

9. How would you ensure that only authorized group users will be able to use RAS connections, and what kind of security measureas are available.

 

10. How do multiple group memberships affect profiles based upon groups? (set group priorities)

 

6. Important... To change domain membership, Windows NT has to be re-installed on DC's.

 

7. A - Accounts G - Go into Global Groups L - Which get assigned to Local Groups P - Which get assigned permissions

 

8. How would you install a member server and move it to a different domain without re-installing NT?

 

9. Remember that Local Groups can contain Global Groups, Trusted users and Local Users

 

Lots of trusts, or more elegantly "trusts out the ying yang."

 

Some WINS and DHCP.

 

Fault tolerance with i.e. striping with parity and two disks fail in stripe set? What do you do?

 

Global and local groups and trust interactions.

 

Scenario questions galore for backup groups and trusts i.e. dhcp and wins, and PDC in one region and nothing in another except wkstns and member server all in one domain . How to meet requirements of less time for logon validation and ip addresses distributed locally, and then some optional requirements i.e. maintain netbios name resolution, etc. Then given a solution like install DHCP on member server and WINS proxy server, and then choose from answers like meets all required objectives and optional objectives, meets all required and one optional, meets required, meets none ot the requirements.

 

Netware migration i.e. What to migrate users, groups, permissions to NT? Do you need both servers running Netbios, TCP/IP, fat partition or NTFS partition. Or what happens when there are duplicate user names and how to get around that during a NW to NT migration.

 

Domain Models - know what to use in different scenarios. Got some weird scenario questions with domain models where you pick the one that meets the criteria, sort of meets it, doesn't meet it, wouldn't work on Satan's network.

 

Tip: Draw the questions out to get a good visualization of the problem. One thing about the scenario questions is that some of them work, but implementation would be funky and administration loathsome.

 

- The Domain Models - Which is the best one for a given setting.

 

- Trust relationships - easy

 

- Permissions (Share level and also NTFS)

 

- Only one question on Performance Monitor - very easy

 

- Only one question on Network Monitor - also easy

 

- Know your groups (local and global)

 

- Fault Tolerance (a few questions, easy)

 

- Policies and Profiles - a couple of questions on roaming users

 

- A couple of questions on Auditing

 

- if the CPU % usage goes way up, pages/sec is high, disks are thrashing - one may consider more memory to alleviate paging.

 

_______________________________________________________

 

I had one question that asked something similar to the following: One server with one NIC.

Running TCP/IP. You want to have 5 different domain names, each with its own IP Address on this server. How do you do it? The answers gave you choices of partitioning the disk different ways, binding multiple IP addresses to the card etc. You had to pick TWO out of the four responses. I was able to eliminate two responses and I picked thetwo remaining. I still am not sure if I got the question right or not. I hope this helps

 

This is a LITTLE. It is mostly recognition or feature based. Almost no technical depth and only a couple of questions. You got a good response earlier: Know that IIS supports 'virtual servers' on a single Windows NT Server.

 

__________________________________________________________

 

Make sure you know fault tolerance: which RAID levels are supported by NT, and what the different levels mean. Know how to recover from failures using the various types.

 

Know the basics of PerfMon. Nothing too detailed on the test, but know what the various counters indicate, especially those that have to do with memory (that's a hint).

 

The planning questions (domain models, when, where, and why to use them) are pretty easy if you have a good grounding in the basics why and wherefores of the different models.

 

Know NTFS permissions inside and out. I don't remember any questions as far as what happens when you move vs. copy a file (and the effects on its permissions). Seems to me that those questions are on the NT Server exam; however, it's a good thing to know anyway. I recommend

 

You will need to know what objects (users and groups) can be put into which groups.

 

Know which types of servers can be moved to another domain (without reinstalling NTS, that is).

 

_____________________________________________

 

1. How does RAID5 affect read/write performance and processor?

 

2. Know how to set filters to isolate IP addressing in Net Monitor

 

3. Study how the guest account affects users in domains and trust relationships.

 

4. How would you ensure that only authorized group users will be able to use RAS connections, and what kind of security measureas are available.

 

5. How do multiple group memberships affect profiles based upon groups?

 

6. Important... To change domain membership, Windows NT has to be re-installed on DC's.

 

7. A - Accounts G - Go into Global Groups L - Which get assigned to Local Groups P - Which

get assigned permissions

 

8. How would you install a member server and move it to a different domain without re-installing NT?

 

9. Remember that Local Groups can contain Global Groups, Trusted users and Local Users

 

__________________________________________________

 

1) One IIS question involving hosting multiple sites

 

2) One memory dump question

 

3) About 6 questions on System Policies

 

4) A few on recovering from various hard disk failures

 

5) A lot on resource access in a multiple domain environment. For example, Joe Shmo is in this group in this domain, and he needs access to a file in this other domain.

 

6) One or two RAS questions

 

7) Like one NetWare question

 

8) NOTHING on the Macintosh

 

9) A question or twon on DHCP and WINS

_______________________________________________

 

- What is must be installed at Windows NT 4.0 Server if NetWare Client will access resource on it.

 

- What are the tools for blue screen diagnostic? Dumpexam? - Understand about the functions of Network Monitor and Performance Monitor.

 

- How to use filter in Network Monitor.

 

- What objects should we suspect in File and Print Server or in Application Server.

 

- What is the function of Server properties, for example if we install Microsoft Access in Server we should select "Maximize Throughput for File Server".

 

- Member Server cannot be changed to BDC. And a PDC cannot to be a BDC for another PDC.

 

- Two situation questions about disk fault tolerant.

 

- Fastest possible read and write access to the data you should use a stripe set with parity

 

- One situation questions about Printer (equal to Print Queue at Novell) and Printer Pool.

 

- About Browser, for example how to set MaintainServerList registry for a situation, When it is necessary to stop netlogon service. -

 

- Two or three situation questions about how to effectively configures BDCs and replication governor registry and other registry's parameters at slow WAN link environments.

 

- Understand Single Domain, Single Master Domain, and Multiple Master Domain how to choose the Domain Models for a given situations.

 

- Understand the functions of DHCP, WINS and DNS. Do WINS and DNS resolve the NetBIOS or host name of a remote Windows NT Server to an IP address?

 

- Understand about System Policy. If there are two groups given system policy how you can make sure the members of the groups should have the appropriate system policy (not conflict!)

 

- Understand about effective permission if you plan to use NTFS permission and share permission for a directory. The precende of permission, No Access and other permissions.

 

- And the important things, should have good understanding about trusts relationships for various situations, there were many situation questions with exhibit for picture of scheme.

 

_______________________________________________

 

The questions below are the ones that I can remember most.

 

  1. Your SV has multiple processor intalled which object should be measured if you want only a single line in the graph of the performance monitor to be represent all process ?
  2. Event viewer shows an Event log. What cause the STOP problem ?
  3. Your BDC is running MS-Access application for 300 users. How can you configure the SV for the best performance ?
  4. How do you configure your SV not to function as a browser ?
  5. How do you setup a filter in Network Monitor in order to show traffic generated from automatic IP address assignment ?
  6. You have 4 SVs and 500 users, and you need to centralize account management and resources. Which domain model you choose ?
  7. You have installed SQL SV on NT and NW clients need access to the SV. What do you need to install on NT SV ?
  8. You have cleared the print jammed, how do you check again ?
  9. You have subnet A and B. Subnet A has DHCP SV. What you do to let subnet B to use the same DHCP SV ?
  10. While you're installing NT SV as a member SV in CORP domain you get the message "Could not locate PDC for CORP domain". What do you do ?
  11. You have RAID5 disk set and 2 disks fail. How can you recover ?
  12. Domain East and West trust Corp domain. For user to use their logon script anywhere in the domain where do you put the logon script ?
  13. The system has crashed and you only have ERD but not the startup disks. What can you do ?
  14. West trust Corp. Someone logs in to Corp domain form NT WS in West domain. Which resources can be accessed ?
  15. You want to create a capacity planning baseline of internal source for your NT SV. Which tool you choose ?
  16. Domain Sales and Support trust Corp domain. Marie is a member of budget global group in Corp domain. There is a marketing SV inside Sales with a shared name forecast. Using NTFS security, the Corp/budget has been assigned with Read permission for forecast. Marie is denied access, why ?
  17. You have P133 32 MB RAM 2GB SCSI configured as file and print SV. Your SV is slow and from PerfMon you see that processor object 80%, 101% disk time, 101.885 pages/sec, and SV object 86543 bytes/sec. What should you do to improve pefomance ?

    18. A. add faster CPU

    B. add memory to 64 MB

    C. add multiprocessing

    D. add stripe set with parity

  18. A user has Read permission on a directory and Read permission through a group that she belongs to (there are 2 exhibits to display this). What can she effectively do ?

 

Answer:

  1. System: % Total Processor Time
  2. Look at the first STOP message which is NE2000
  3. Maximize throughput for File Sharing
  4. MaintainServerList=No
  5. Protocol = = DHCP
  6. Single domain model
  7. NWLink
  8. Restart from Document menu
  9. DHCP relay agent
  10. Install member SV in workgroup and join to domain later
  11. Recreat stripe set with parity and restore from backup
  12. Netlogon folder in Corp domain
  13. Create setup disk from NT CD, boot with setup disk and ERD
  14. All resources on CORP/Domain users have been granted access
  15. Respond probe
  16. Some NTFS permission override the share permission
  17. B
  18. Read

 

source: http://www.masontech.clara.net/7068.htm

http://www.learnquick.com

http://www.saluki.com/mcp/nts40ent.htm

http://www.asb.com/usr/hollwrth/mcse/enterprise.htm