Testing Skills and Suggested Practices

The skills that you need to successfully master the Managing and Implementing Disaster Recovery objective domain on Exam 70-299, Implementing and Administering Security in a Microsoft Windows Server 2003 Network, include:

• Configuring trust relationships.

  • Practice 1: Configure four computers running Windows Server 2003 in the following way: Configure the first computer as the root domain controller in a new forest. Call this computer rootdc1. Configure the second computer as a domain controller in a child domain of the first computer. Call this computer childdc1. Configure the third computer as a domain controller in root domain in a new forest. Call this computer rootdc2. Configure the fourth computer as the domain controller of a child domain of the third computer’s root domain. Call this computer childdc2. After this is done, you should have two separate forests, each containing a single tree with two domains per forest. Create some test accounts in each of the four domains. Each test account should have a unique name. Consider creating account names that contain the domain name the account is created in so that it’s easy to tell from the name alone where the account resides. Configure an external trust relationship between rootdc1 and rootdc2. Do this by using the Active Directory Domains and Trust console, which is located on the Administrative Tools menu. Ensure that the trust relationship goes both ways. Use Active Directory Users and Computers to add users from the first computer’s domain to local groups from the third computer’s domain. Note that you will be unable to add users from any of the child domains.

  • Practice 2: Using the setup from Practice 1, remove the external trust relationship. Ensure that all forests are running at the Windows Server 2003 forest functional level. This will involve using the Active Directory Domains and Trust console, which is located on the Administrative Tools menu, to raise the domain functional level and forest functional levels from the default. Once the requisite functional level has been achieved, establish a forest trust relationship between the two forests. To test this trust relationship, create a shared folder on childdc1. Set permissions for users in the first, third, and fourth domains. Because the forest trust relationship ensures that all domains now trust each other, you will be able to assign permissions for resources to objects in all domains in both forests.

• Configuring the nesting of groups.

  • Practice 1: On a Windows Server 2003–based computer that is a member of a domain running at the Windows Server 2003 functional level, and that is also a member of a forest that contains at least another domain, create a new universal group. Try to add the following types of groups to the universal group, and note which ones you can and cannot add. (Some of these objects cannot be nested into a universal group.)

    • A domain local group from the local domain

    • A domain local group from another domain in the forest

    • Some users from the local domain

    • Some users from another domain in the forest

    • A global group from another domain in the forest

    • A universal group from another domain in the forest

  • Practice 2: On a Windows Server 2003–-based computer that is a member of a domain running at the Windows Server 2003 functional level, and that is also a member of a forest that contains at least one other domain, create a new domain local group. Try to add the following types of groups to the domain local group, and note which ones you can and cannot add. (Some of these objects cannot be nested into a domain local group.)

    • A domain local group from the local domain

    • A domain local group from another domain in the forest

    • Users from the local domain

    • Users from another domain in the forest

    • A global group from another domain in the forest

    • A universal group from another domain in the forest

• Configuring permissions and rights.

  • Practice 1: On a computer running Windows Server 2003, create four different local groups. Add a single test user account to all of these groups. Create a temporary folder. Configure the NTFS permissions for this folder so that each of the newly created local groups has a different level of permissions. After this is done, click the Advanced button, and then use the Effective Permissions tab to calculate the effective permissions for the test user that you added to these four groups at the start of this exercise.

  • Practice 2: On a member server running Windows Server 2003, create a non- privileged local user account with no special rights. Verify that this user can log on to the member server. Log the user off, and then log back on with Administrator credentials. Edit the local Group Policy settings for a computer running Windows Server 2003 by running gpedit.msc. In the Computer Configuration\Windows Settings\Security Settings\User Rights Assignment node of the local computer policy, remove the users group from the Allow Log on Locally policy. Log off from the administrator account and try again to log on with the newly created normal local user account.

• Installing and configuring certificate services.

  • Practice 1: Install an enterprise root certificate server on a computer in a Windows Server 2003 domain. Run the CA Microsoft Management Console (MMC) from the Administrative Tools menu, and examine the certificate templates that are available.

  • Practice 2: Install and configure an enterprise subordinate server on a computer in a Windows Server 2003 domain using the enterprise root CA as a parent. After the server is installed, open the CA MMC from the Administrative Tools menu. Right-click the enterprise subordinate CA. On the General tab, view the certificate. Examine the Certification Path tab to view the certificate hierarchy.