So far in this series, we have taken you
through Microsofts NT Workstation 4.0 exam (no. 70-073), NT Server 4.0 exam (no.
70-067) and Networking Essentials exam (no. 70-058). The fourth and final core examination
for attaining MCSE accreditation is NT Server in the Enterprise (exam no. 70-088), which
we will explore in this months and next months issues.
This is the second examination that tests your knowledge of NT Server, and if you include
the NT Workstation exam, its the third exam to cover Windows NT. Although it is a
more specialised examination, covering more specific topics than the more general subjects
found in the other two exams, do expect a degree of overlap in the material covered. It
may pay to schedule your revision for this exam at the same time as or close to your
revision for the other two exams in order to maximise your revision effectiveness. When
considering the use of prep test software remember that the new, adaptive examinations
follow a slightly different format than the older examinations. You can now get prep test
software that emulates the new adaptive examination format from Transcender
(http://www.transcender.com) and others.
The Server in the Enterprise exam has 6 sections: Planning, Installation and
Configuration, Managing Resources, Connectivity, Monitoring and Optimisation and
The Planning Section
What to Revise
Planning and implementing RAID, Planning Trust Relationships, Domain Models,
Renaming a Domain, Domain Database Size.
1. Planning and Implementing RAID.
Be confident with both the uses of each level of RAID supported by Windows NT Server and
the practicalities of establishing RAID. Remember that Windows NT Server supports RAID
levels 1 and 5 only and that for optimum performance you are better off purchasing
third-party hardware to perform RAID, rather than using NTs software RAID solutions.
RAID Level 1 is mirroring. This is used to keep a full, redundant second copy of the data
on a volume on a second disk at all times. The advantage of mirroring is that in the event
of a hard disk failure, the data can be made immediately available to the users because
there is a second copy of it. The disadvantage is that it requires a lot hard disk space
(50% of disk space is used to store fault tolerant information). To establish a mirror set
using Disk Administrator, create a normal FAT or NTFS volume. Select the created volume
and an area of free space at least as big as the created volume on a second hard disk.
From the Fault Tolerance menu select Establish Mirror.
Duplexing is similar to mirroring, with the difference being that the two hard disks are
attached to two different hard disk controllers, thus giving the added fault tolerance of
redundancy in the event of a hard disk controller failure. It is also considered to be
RAID level 1 and it is established through Disk Administrator in the same way as
establishing a mirror set.
Striping with Parity
RAID level 5 is a stripe set with parity information stored across multiple disks. In
this, the data is stored in 64k stripes alternately on each disk in the array along with
parity information, which can be used to rebuild the data on any one disk in the event of
a hard disk failure. Because only parity information is stored with the data and not a
full second copy of the data, RAID 5 is much more efficient in terms of storage space
needed (1/x of disk space is used to store fault tolerant information, where x is the
number of disks in the array). To establish a stripe set with parity using Disk
Administrator, first select one area of free space of equal size on at least three
physical disks (if areas of unequal size are selected, the area used on each section will
be equal to the smallest section). From the Fault Tolerance menu select Create Stripe Set
Domain controllers (PDC or BDCs) cannot be demoted to become member servers and cannot be
moved between domains. Member servers cannot be promoted to become domain controllers but
can be moved between domains.
2. Planning Trust Relationships
In order to calculate what (if any) trust relationships need to be established between
your domains, calculate which domains contain user accounts (master domains) and which
domains contain resources such as workstations, file and print services and application
services (resource domains). Trust relationships must be established so that the resource
domains trust the master domains. The resource domain is trusting and the master domain is
trusted. The direction of the relationship is indicated in diagrams by an arrow with the
head pointing towards the trusted domain, i.e. the arrowhead points to the trusted.
TRUSTING DOMAIN TRUSTED DOMAIN
3. Domain Models
There are four domain models
The Single domain model uses only one domain and therefore does not require any trust
relationships to be established. In this model, all user accounts and resources are placed
in the same domain and therefore both accounts and resources are centralised under a
single administrative team. The Single Domain model is suitable for smaller organisations
with centralised administration.
The Single Master domain model comprises one master domain and one or more resource
domains. In this model, user accounts are centralised under a single administrative team,
but resources are distributed to multiple, local administrative teams. Each resource
domain is configured to trust the master domain. The Single Master domain model is
suitable for smaller organisations with centralised administration for accounts and
decentralised, local administration for resources.
The Multiple Master domain comprises multiple master domains and one or more resource
domains. In this model, user accounts are again centralised under a single administrative
team, but resources are distributed to multiple, local administrative teams. Two-way trust
relationships are established between the master domains and each resource domain is
configured to trust each of the master domains. The Multiple Master domain model is
suitable for larger organisations with centralised administration for accounts and
decentralised, local administration for resources.
The Complete Trust domain model comprises multiple domains in which each domain locally
manages both its own accounts and its own resources. Both user accounts and resources are
therefore distributed to multiple local administrative teams. Two-way trust relationships
between all the domains allow for users in any domain to access resources in their own or
any other domain. The Complete Trust domain model is suitable for larger organisations
with a policy of decentralisation of both user accounts and resources.
4. Renaming a Domain
Domains can be renamed by using the Change button located on the Identification tab of
Network Properties from Control Panel on each computer in the domain. To do this, start
with the PDC, then the BDCs and finish with the member servers and workstations.
5. Domain Database Size
Microsoft recommends a maximum size for the security accounts database in any one domain
of 40MB. Each user account requires 1k, each computer account requires 0.5k and each group
requires approximately 0.5k, therefore any one domain could contain a maximum of either
40,000 user accounts, 80,000 computer or group accounts or some mixture of the three.
Therefore, if you have say 30,000 accounts, 20,000 groups and 30,000 computers you will
need 55MB of registry space, so therefore a minimum of two domains will be required.
The Installation and Configuration Section
What to Revise:
Joining a Domain
Upgrading from previous versions of NT
1. Joining a Domain
When a user who is using an NT Workstation wishes to logon to and use resources in a
domain there are certain steps that need to be taken. First of all, an administrator must
create an account for the user and tell the user his/her username and password. Secondly,
an account must be created in the domain for the NT Workstation. Either the administrator
can do this using the Server Manager administrative utility or the user can do it
him/herself if they know the username and password for an administrative account. Finally
on the NT Workstation itself in Control Panel, Network, the user must select the Change
button on the Identification tab of the Network Properties dialog box. From there, the new
domain name can be entered and if necessary, the user can also choose to create the
computer account. After the computer has been restarted the user will be able to logon to
the domain successfully.
2. Server Roles
When installing Windows NT Server, you need to choose a role during the setup process. The
choices are PDC, BDC or member server. You only install one PDC and this is always the
first computer to be installed in the domain. BDCs are created for fault tolerance and
load balancing of the PDC as they carry a redundant copy of the domain database. Member
servers participate in the domain but do not carry a redundant copy of the domain
database. As there is an overhead involved in becoming a BDC, do not assign more BDCs than
are necessary to support your logon validation and authentication traffic.
A BDC can be promoted to take over the role of PDC. Promoting a BDC in this way
automatically demotes the current PDC to BDC status if it is running. If it is not running
and is re-started, a conflict message will appear in Server Manager and this is the only
time when an administrator can actively demote a PDC to BDC status.
Make sure you are familiar with all the options available when installing and configuring
a printer. In Microsofts parlance, a printer is a piece of software more commonly
called a driver which is used to configure and control the print devices behaviour
and a print device is the physical component that is normally called a printer. The
options that you need to be familiar with include
If Start printing after first page has been spooled is selected, the printer
will start sending the print job to the print device as soon as it can. If Start
printing after last page has been spooled has been selected, the printer will wait
until the entire print job is ready before submission. The latter option can be useful if
you have a mixture of very large and much smaller documents being submitted for printing.
The smaller print jobs will not have to wait in the queue whilst a large print job is
being spooled and can be printed first if it finishes spooling first.
You can set a schedule on any given printer so that regardless of when print jobs are
submitted, the printer only sends the print jobs to the print device during the scheduled
time period. Print jobs submitted outside the scheduled time are spooled onto the hard
disk until the schedule is activated.
You can set a priority level from 1 to 100 on each printer. Print jobs submitted to the
print device from printers with a higher (larger) priority will be printed first.
You can select multiple ports (including JetDirect) to be used by any one printer. The
printer will submit print jobs to whichever print device it is connected which currently
has the shortest queue. Be sure to place all the print devices in a printer pool in the
same location because the users will have no way of knowing which print device will be
used for any one print job!
4. Upgrading from previous versions of NT
Running the setup utility as normal performs the upgrade process. The fastest way to
perform an upgrade to involve the least downtime as possible is to run the setup program
from within the running existing version of NT. To do this run WINNT32.EXE from the I386,
MIPS, PPC or ALPHA folders of the setup source files. NT will automatically detect the
presence of an existing version of NT and prompt you to upgrade.
The Managing Resources Section
What to Revise:
Using Resources across Trusts
The AGLP Rule
Creating Home Directories
Granting Backup Rights
1. Using Resources across Trusts
To access a resource in another domain, the domain that contains the account that the user
logs on with must be trusted by the domain that contains the resource. Remember, it is
where the users account is that is important in this relationship, not where the
user is logged in.
2. The AGLP Rule
Although the rule can be broken, Microsofts recommended approach to allowing users
access to resources is to group user Accounts into Global groups, place the global groups
into Local groups and assign Permissions to the local groups. This method gives you
maximum efficiency and flexibility especially in a large, multiple domain
3. User Profiles
Familiarise yourself with the different types of user profile local, roaming and
mandatory and how to create and manage profiles.
4. System Policies
System policies should be saved in the Netlogon share of each domain controller (BDCs and
PDC) in the domain. Revise the method of creating system policies using System Policy
5. Creating Home Directories
To create a home directory for each user, use the Home Directory Path text box in the
Profiles section of the User Properties dialog box. To make the process easier, create a
folder to act as the parent container on an NTFS volume and share it with FULL permission
for Domain Users. Next, set the Home Directory Path text box for your template user to be
. The %USERNAME% variable will be replaced with the username each time you create a new
user account based on your template account. NT automatically creates a subfolder of your
share with the same name as the username and assigns that users account FULL
6. Granting Backup Rights
To grant a group of users the ability to backup multiple servers over the network, first
create a global group (for example GLOBAL_BACKUP) and make the relevant users members of
it. Next assign your global group membership of the Backup Operators built-in local group
on each server that requires backing up.
Richard Adams is an Executive Technical Director for
Additional Resources, an IT training company