Grab a free Comcat catalogue today, covering RAS, FAX, CTI and KVM.  Catalogues that educate and help you evaluate.


MCSE Help : 70-088 - Windows NT server 4.0 in the enterprise (Part 1)
Richard Adams guides us through the first half of examination 70-088: Windows NT Server 4.0 in the Enterprise

So far in this series, we have taken you through Microsoft’s NT Workstation 4.0 exam (no. 70-073), NT Server 4.0 exam (no. 70-067) and Networking Essentials exam (no. 70-058). The fourth and final core examination for attaining MCSE accreditation is NT Server in the Enterprise (exam no. 70-088), which we will explore in this month’s and next month’s issues.

General Advice

This is the second examination that tests your knowledge of NT Server, and if you include the NT Workstation exam, it’s the third exam to cover Windows NT. Although it is a more specialised examination, covering more specific topics than the more general subjects found in the other two exams, do expect a degree of overlap in the material covered. It may pay to schedule your revision for this exam at the same time as or close to your revision for the other two exams in order to maximise your revision effectiveness. When considering the use of prep test software remember that the new, adaptive examinations follow a slightly different format than the older examinations. You can now get prep test software that emulates the new adaptive examination format from Transcender (http://www.transcender.com) and others.

Exam Breakdown

The Server in the Enterprise exam has 6 sections: Planning, Installation and Configuration, Managing Resources, Connectivity, Monitoring and Optimisation and Troubleshooting.

The Planning Section

What to Revise

Planning and implementing RAID, Planning Trust Relationships, Domain Models, Renaming a Domain, Domain Database Size.

Watch For:

1. Planning and Implementing RAID.

Be confident with both the uses of each level of RAID supported by Windows NT Server and the practicalities of establishing RAID. Remember that Windows NT Server supports RAID levels 1 and 5 only and that for optimum performance you are better off purchasing third-party hardware to perform RAID, rather than using NT’s software RAID solutions.


RAID Level 1 is mirroring. This is used to keep a full, redundant second copy of the data on a volume on a second disk at all times. The advantage of mirroring is that in the event of a hard disk failure, the data can be made immediately available to the users because there is a second copy of it. The disadvantage is that it requires a lot hard disk space (50% of disk space is used to store fault tolerant information). To establish a mirror set using Disk Administrator, create a normal FAT or NTFS volume. Select the created volume and an area of free space at least as big as the created volume on a second hard disk. From the Fault Tolerance menu select Establish Mirror.


Duplexing is similar to mirroring, with the difference being that the two hard disks are attached to two different hard disk controllers, thus giving the added fault tolerance of redundancy in the event of a hard disk controller failure. It is also considered to be RAID level 1 and it is established through Disk Administrator in the same way as establishing a mirror set.

Striping with Parity

RAID level 5 is a stripe set with parity information stored across multiple disks. In this, the data is stored in 64k stripes alternately on each disk in the array along with parity information, which can be used to rebuild the data on any one disk in the event of a hard disk failure. Because only parity information is stored with the data and not a full second copy of the data, RAID 5 is much more efficient in terms of storage space needed (1/x of disk space is used to store fault tolerant information, where x is the number of disks in the array). To establish a stripe set with parity using Disk Administrator, first select one area of free space of equal size on at least three physical disks (if areas of unequal size are selected, the area used on each section will be equal to the smallest section). From the Fault Tolerance menu select Create Stripe Set with Parity.

Domain controllers (PDC or BDCs) cannot be demoted to become member servers and cannot be moved between domains. Member servers cannot be promoted to become domain controllers but can be moved between domains.

2. Planning Trust Relationships

In order to calculate what (if any) trust relationships need to be established between your domains, calculate which domains contain user accounts (master domains) and which domains contain resources such as workstations, file and print services and application services (resource domains). Trust relationships must be established so that the resource domains trust the master domains. The resource domain is trusting and the master domain is trusted. The direction of the relationship is indicated in diagrams by an arrow with the head pointing towards the trusted domain, i.e. the arrowhead points to the trusted.


3. Domain Models

There are four domain models –


The Single domain model uses only one domain and therefore does not require any trust relationships to be established. In this model, all user accounts and resources are placed in the same domain and therefore both accounts and resources are centralised under a single administrative team. The Single Domain model is suitable for smaller organisations with centralised administration.

Single Master

The Single Master domain model comprises one master domain and one or more resource domains. In this model, user accounts are centralised under a single administrative team, but resources are distributed to multiple, local administrative teams. Each resource domain is configured to trust the master domain. The Single Master domain model is suitable for smaller organisations with centralised administration for accounts and decentralised, local administration for resources.

Multiple Master

The Multiple Master domain comprises multiple master domains and one or more resource domains. In this model, user accounts are again centralised under a single administrative team, but resources are distributed to multiple, local administrative teams. Two-way trust relationships are established between the master domains and each resource domain is configured to trust each of the master domains. The Multiple Master domain model is suitable for larger organisations with centralised administration for accounts and decentralised, local administration for resources.

Complete Trust

The Complete Trust domain model comprises multiple domains in which each domain locally manages both its own accounts and its own resources. Both user accounts and resources are therefore distributed to multiple local administrative teams. Two-way trust relationships between all the domains allow for users in any domain to access resources in their own or any other domain. The Complete Trust domain model is suitable for larger organisations with a policy of decentralisation of both user accounts and resources.

4. Renaming a Domain

Domains can be renamed by using the Change button located on the Identification tab of Network Properties from Control Panel on each computer in the domain. To do this, start with the PDC, then the BDCs and finish with the member servers and workstations.

5. Domain Database Size

Microsoft recommends a maximum size for the security accounts database in any one domain of 40MB. Each user account requires 1k, each computer account requires 0.5k and each group requires approximately 0.5k, therefore any one domain could contain a maximum of either 40,000 user accounts, 80,000 computer or group accounts or some mixture of the three. Therefore, if you have say 30,000 accounts, 20,000 groups and 30,000 computers you will need 55MB of registry space, so therefore a minimum of two domains will be required.

The Installation and Configuration Section

What to Revise:

Joining a Domain
Server Roles
Upgrading from previous versions of NT

Watch For:

1. Joining a Domain

When a user who is using an NT Workstation wishes to logon to and use resources in a domain there are certain steps that need to be taken. First of all, an administrator must create an account for the user and tell the user his/her username and password. Secondly, an account must be created in the domain for the NT Workstation. Either the administrator can do this using the Server Manager administrative utility or the user can do it him/herself if they know the username and password for an administrative account. Finally on the NT Workstation itself in Control Panel, Network, the user must select the Change button on the Identification tab of the Network Properties dialog box. From there, the new domain name can be entered and if necessary, the user can also choose to create the computer account. After the computer has been restarted the user will be able to logon to the domain successfully.

2. Server Roles

When installing Windows NT Server, you need to choose a role during the setup process. The choices are PDC, BDC or member server. You only install one PDC and this is always the first computer to be installed in the domain. BDCs are created for fault tolerance and load balancing of the PDC as they carry a redundant copy of the domain database. Member servers participate in the domain but do not carry a redundant copy of the domain database. As there is an overhead involved in becoming a BDC, do not assign more BDCs than are necessary to support your logon validation and authentication traffic.

A BDC can be promoted to take over the role of PDC. Promoting a BDC in this way automatically demotes the current PDC to BDC status if it is running. If it is not running and is re-started, a conflict message will appear in Server Manager and this is the only time when an administrator can actively demote a PDC to BDC status.

3. Printing

Make sure you are familiar with all the options available when installing and configuring a printer. In Microsoft’s parlance, a printer is a piece of software more commonly called a driver which is used to configure and control the print device’s behaviour and a print device is the physical component that is normally called a printer. The options that you need to be familiar with include…


If “Start printing after first page has been spooled” is selected, the printer will start sending the print job to the print device as soon as it can. If “Start printing after last page has been spooled” has been selected, the printer will wait until the entire print job is ready before submission. The latter option can be useful if you have a mixture of very large and much smaller documents being submitted for printing. The smaller print jobs will not have to wait in the queue whilst a large print job is being spooled and can be printed first if it finishes spooling first.


You can set a schedule on any given printer so that regardless of when print jobs are submitted, the printer only sends the print jobs to the print device during the scheduled time period. Print jobs submitted outside the scheduled time are spooled onto the hard disk until the schedule is activated.


You can set a priority level from 1 to 100 on each printer. Print jobs submitted to the print device from printers with a higher (larger) priority will be printed first.


You can select multiple ports (including JetDirect) to be used by any one printer. The printer will submit print jobs to whichever print device it is connected which currently has the shortest queue. Be sure to place all the print devices in a printer pool in the same location because the users will have no way of knowing which print device will be used for any one print job!

4. Upgrading from previous versions of NT

Running the setup utility as normal performs the upgrade process. The fastest way to perform an upgrade to involve the least downtime as possible is to run the setup program from within the running existing version of NT. To do this run WINNT32.EXE from the I386, MIPS, PPC or ALPHA folders of the setup source files. NT will automatically detect the presence of an existing version of NT and prompt you to upgrade.

The Managing Resources Section

What to Revise:

Using Resources across Trusts
The AGLP Rule
User Profiles
System Policies
Creating Home Directories
Granting Backup Rights

Watch For:

1. Using Resources across Trusts

To access a resource in another domain, the domain that contains the account that the user logs on with must be trusted by the domain that contains the resource. Remember, it is where the user’s account is that is important in this relationship, not where the user is logged in.

2. The AGLP Rule

Although the rule can be broken, Microsoft’s recommended approach to allowing users access to resources is to group user Accounts into Global groups, place the global groups into Local groups and assign Permissions to the local groups. This method gives you maximum efficiency and flexibility – especially in a large, multiple domain environment.

3. User Profiles

Familiarise yourself with the different types of user profile – local, roaming and mandatory – and how to create and manage profiles.

4. System Policies

System policies should be saved in the Netlogon share of each domain controller (BDCs and PDC) in the domain. Revise the method of creating system policies using System Policy Editor.

5. Creating Home Directories

To create a home directory for each user, use the Home Directory Path text box in the Profiles section of the User Properties dialog box. To make the process easier, create a folder to act as the parent container on an NTFS volume and share it with FULL permission for Domain Users. Next, set the Home Directory Path text box for your template user to be . The %USERNAME% variable will be replaced with the username each time you create a new user account based on your template account. NT automatically creates a subfolder of your share with the same name as the username and assigns that user’s account FULL permission.

6. Granting Backup Rights

To grant a group of users the ability to backup multiple servers over the network, first create a global group (for example GLOBAL_BACKUP) and make the relevant users members of it. Next assign your global group membership of the Backup Operators built-in local group on each server that requires backing up.

Richard Adams is an Executive Technical Director for Additional Resources, an IT training company