Network+ 2005 Training - Domain 1.0

Network+ is a vendor neutral networking certification. The
Network+ certification is to certify
technicians understand the basics of networking, the OSI model, can describe the
features and functions of network components, has the skills necessary to
install and troubleshoot networking hardware.

CompTIA has had the Network+ certification around for several years. It is
updating the certification with the 2005 objectives. This tutorial is based on
the 2005 objectives to give candidates a chance to understand the new
certification requirements.

CompTIA provides this overview of the "Domain Areas" covered by the Network+
2005 objectives:

Network+ Certification Domain Areas	% of Examination
Introduction to Networking
1.0 Media and Topologies	20%
2.0 Protocols and Standards COMING SOON!	20%
3.0 Network Implementation COMING SOON!	25%
4.0 Network Support COMING SOON!	35%
Total	100%

This tutorial covers Domain 1.0, Media and Topologies. Future tutorials will
cover the other three domains.

Before you jump into one of the domain areas above, you may want to refresh
yourself on networking definitions and concepts in our Introduction to
Networking section. This is great for people new to networking or people who
need a refresher on key terms and concepts. This section also provides an
overview for the networking topics you will learn in this course.

In addition, Testkingdom.com has provided several free practice exams to help
you prepare for the Network+ exam.

Testkingdom.com is not affiliated with CompTIA or any
organization whose trademark appears in this tutorial. Testkingdom.com offers
free tutorial for CompTIA certifications
but is not connected to CompTIA in any shape or form. Please do not confuse us
for CompTIA. We are not a non-profit, though at times, we feel like we are.

Windows Server 2003 Group Policy and Security - 70-291 (part 2)

Recommended Group Policy Settings



This is by no means a definitive list. We will make some recommendations to you
for your Group Policy settings. This could be considered a starter list. You
should review all of the Group Policy settings to see how they fit in your
business requirements.



There are three categories of group policy settings underneath two broad groups:
Computer Configuration and User Configuration. Inside those are Software
Settings, Windows Settings, and Administrative Templates.



Policies you apply within Computer Configuration apply to the whole computer
(and all of its users) while settings you apply within User Configuration apply
to a the specific user.



We are offering these as recommendations. You should review all group policy
changes prior to implementation.



Computer Configuration: Windows Settings: Security Settings: Account Policies:
Password Policy



Group Policy Objects to Set: Enforce password history; maximum password age;
minimum password age, minimum password length; Password must meet complexity
requirements.



By default, these policy objects are set. In our environment, password history
is set to '6 passwords remembered'; maximum password age is set at 45 days; and
minimum password length is set to 7 characters.



There are frequent questions surrounding the minimum password age of '1 day' and
why it is important to have a minimum password age. If a user is forced to
change their password every 42 days (as in the default policy), the user could
simply change their password the required number of times to get back to their
original password. To prevent this security issue, a minimum password age is set
so the user can only change their passwords once a day.



Computer Configuration: Windows Settings: Security Settings: Account Policies:
Account Lockout Policy



There are three policy settings in this category: account lockout duration;
account lockout threshold; reset account lockout counter after. We recommend
setting the Account lockout threshold to '5 invalid login attempts.' This will
automatically set the other two settings to 30 minutes.



This setting will lock a user account for 30 minutes if there are five invalid
login attempts. This helps stop hackers from using automated password guessing
software on user accounts.



Computer Configuration: Windows Settings: Security Settings: Local Policies:
Audit Policy



There are several security items you can audit under the audit policy. To audit
in Windows means to record the actions in the local logs. We recommend you audit
the successes and failures of: account logon events, account management, logon
events, policy change, and privilege use. We recommend you audit the failures of
the rest of the items.



Computer Configuration: Windows Settings: Security Settings: Local Policies:
Security Options



We recommend you set Accounts: Rename administrator account to enabled and
rename the administrator account to something else. This will help increase
security by not giving a potential hacker the username at the start.



You should also consider setting Interactive logon: Do not display last user
name to Enabled. This will display a blank username field at every boot - the
user will be responsible for remembering their username. If someone gains access
to the workstation physically, they would need to know a username to attempt to
login.



Computer Configuration: Administrative Templates: Windows Components



The Administrative Templates section of Group Policy allows you to set policies
for the Windows operating system and its components.



Computer Configuration: Administrative Templates: Windows Components: Internet
Explorer



If you have a proxy or ISA server, you may want to set Make proxy settings
per-machine. This policy will allow you to set the policy settings for one
account and then every account that logs in will receive the proxy settings.



Computer Configuration: Administrative Templates: Windows Components: Internet
Information Services



If you set Prevent IIS installation, you can prevent rogue IIS servers from
popping up on the network.



Computer Configuration: Administrative Templates: Windows Components: Windows
Messenger



We do not like the Windows Messenger (the MSN like instant messenger application
Microsoft installs by default). We enable Do not allow Windows Messenger to be
run and Do not automatically start Windows Messenger initially.



Computer Configuration: Administrative Templates: Windows Components: Windows
Update



If you are using SUS or want the machines to perform automatic updates, you can
configure those options in this section.



User Configuration: Windows Settings: Internet Explorer Maintenance



There are several configuration options for Internet Explorer. If you want to
force users to have the same homepage or options, you can configure these
options.



There are hundreds of policy settings you could potentially apply. We recommend
caution and to only apply policies that are absolutely necessary - leaving the
rest as "Not Configured." This will make your user community much happier.

The Microsoft 70-291 exam and study
guide is design to complete knowledge, I recommend login on to
www.testkingdom.com to get the complete
study solution for professional and students who are seeking to changing their
career to new level.

Windows Server 2003 Group Policy and Security - 70-291

Windows Server 2003 Group Policy and Security - 70-291

Implementing Group Policy



In this article, you will learn:



* What Group Policy is

* Recommended Group Policy settings

* Implementing Group Policy objects



Group Policy was probably the most significant change for Microsoft with the
release of Windows 2000 Server. Group Policy allows you to define settings and
configurations to machines and groups of users. An administrator can use Group
Policy to set policies at a site, domain, or organizational unit. Group Policy
is supported in Windows 2000 Professional and newer operating systems.



Group Policy was designed to allow you to easily control the settings and
configuration of a lot of machines, reducing your total cost of ownership. It is
a very powerful part of the Active Directory, and if implemented correctly, can
save you money. If it is not implemented correctly, it can cost your
organization time and resources - fixing what can be huge mistakes!



Group Policy allows you to define user related policies, as well as network
settings, security settings, and machine policies. In addition, you can use
Group Policy to manage settings on your servers.



Group Policy was improved with the release of Windows Server 2003. There were
hundreds of new policies added, as well as a new Group Policy Management
Console. We will assume you have this installed throughout this tutorial. If you
do not currently have it, please visit
http://www.microsoft.com/windowsserver2003/gpmc/ to download GPMC.



Group Policy is different from policies used in Windows NT 4 domains. Group
Policy is much more powerful, allows for more flexibility, and is easier to
administer.



Implementing Group Policy is not a simple task so you should plan your
implementation very carefully. If you turn on the wrong policy, you can
mistakenly prevent your users from accessing the network (we know one small
business administrator who did this) or prevent an entire business unit from
opening Microsoft Outlook (we know one large enterprise administrator who did
this). Group Policy is very powerful and should be configured with a great level
of planning and discussion.



If you plan on using Group Policy settings (which you should to make your
workstation administration easier), we recommend reviewing all of the Group
Policy settings as a team with your network administrators, help desk, and PC
support groups. This is a long process and can drag out, but we will highlight
some of the Group Policy settings you may want to make and the reason we suggest
them.



The Microsoft 70-291 exam and study
guide login on to www.testkingdom.com
to get the complete study solution for professional and students who are seeking
to changing their career to new level.

Outlook 2007 Certificate Error?

When importing a new certificate into Exchange 2007, you might encounter a
certificate error in Outlook 2007. I have included a screenshot of the error I
encountered today:



When you choose the View Certificate button, it brings up another window that
shows you what certificate is in error. In this case, the certificate name is “mail.shudnow.net.”



So the million dollar question? Why the error?

Well, when we install a new certificate, there are a few tasks we want to do.
Obviously, we install the certificate for a purpose. This purpose is till allow
us to use Exchange services securely. So how do we enable Exchange to use these
services? If you are planning to do a very simple configuration and do not care
about external Autodiscover access, you do not need to use a Unified
Communication Certificate. You can read more about these certificates in one of
my other articles here.



So let’s say we have a simple regular common certificate. A certificate with a
Common Name (CN) of mail.shudnow.net We install this certificate onto our
Exchange box with its’ private key. In our case we were migrating so we did not
have to request a certificate via IIS. We just exported it with its’ private key
and imported onto the new box. We then assigned this certificate to IIS. Now I
went to the Exchange Management Shell and enabled Exchange services to use this
certificate. In order to do this, you must run the following commands:



Get-ExchangeCertificate

Thumbprint Services Subject

———- ——– ——-

BCF9F2C3D245E2588AB5895C37D8D914503D162E9 SIP.W CN=mail.shudnow.net.com



What I did was go ahead and enable all new services to use every available
service by using the following command:



Enable-exchangecertificate -services IMAP, POP, UM, IIS, SMTP -Thumbprint
BCF9F2C3D245E2588AB5895C37D8D914503D162E9



The next step would be to ensure the AutodiscoverInternalURI is pointed to the
CAS that will be your primary CAS for Autodiscover servicing.



Get-ClientAccessServer -Identity CASServer | FL



AutoDiscoverServiceInternalUri : https://casnetbiosname/Autodiscover/Autodiscover.xml



See the issue here? We are not using a UC certificate that contains the names,
“casnetbiosname, casnetbiosname.shudnow.net, mail.shudnow.net, and
autodiscover.shudnow.net” Since the Autodiscover directory in IIS will be
requring SSL encryption, the url specified in the AutoDiscoverServiceInternalURI
must match what is specified in your certificate. You must also ensure there is
a DNS record that allows mail.shudnow.net to resolve to your CAS. We should
re-configure the AutoDiscoverServiceInternalURI by using the following command:



Set-ClientAccessServer -Identity CASServer -AutoDiscoverServiceInternalUri
https://mail.shudnow.net/Autodiscover/Autodiscover.xml



We now need to go configure all the InternalURLs for each web distributed
service. If you are going to be utilizing the Autodiscover service from the
outside or for non-domain joined clients, you may want to configure an -ExternalURL
in addition to your -InternalURL.



Here is the reason why we were receiving the certificate errors. Your
InternalURLs most likely are not using mail.shudnow.net. Your InternalURLs are
most likely pointed to something such as https://casnetbiosname/ServiceURL which
will fail since this is not the CN of your simple certificate.



You can run the following commands to fix your internalURLs so your Outlook 2007
client can successfully take advantage of your web distribution services.



Set-WebServicesVirtualDirectory -Identity “CASServer\EWS (Default Web Site)” -InternalURL
https://mail.shudnow.net/EWS/Exchange.asmx -BasicAuthentication:$true



Set-OABVirtualDirectory -Identity “CASServer\OAB (Default Web Site)” -InternalURL
https://mail.shudnow.net/OAB



Note: You must ensure that you enable SSL on the OAB directory in IIS which is
not on by default. The same goes for Basic Authentication on the OAB directory.
The above command will only enable SSL, but will not ensure 128-bit SSL is
required.



Enable-OutlookAnywhere -Server CASServer -ExternalHostname “mail.shudnow.net” -ExternalAuthenticationMethod
“Basic”-SSLOffloading:$False



Note: The above Enable-OutlookAnywhere command works on RTM. For SP1, substitute
-ExternalAuthenticationMethod with -ClientAuthenticationMethod.



Set-ActiveSyncVirtualDirectory -Identity “CASServer\Microsoft-Server-ActiveSync
(Default Web Site)” -ExternalURL https://mail.shudnow.net/Microsoft-Server-Activesync



Set-UMVirtualDirectory -Identity “CASServer\UnifiedMessaging (Default Web Site)”
-InternalURL https://mail.shudnow.net/UnifiedMessaging/Service.asmx -BasicAuthentication:$true



Microsoft offers a wide range of
MCP certifications that cover the
spectrum of professions within the IT industry. You decide which certification
is appropriate and most benefits your career choices. There are lots of solution
provider site, but I recommend
www.testkingdom.com they have the new generation of exams preparation tool
and material. click here for find out more

Exchange 2007 SP1 and Server 2008 information

I wanted to share some of my findings with running Exchange 2007 SP1 on Server
2008. I’ve noticed and heard of several issues and information that I believe
people should be cognizant about.



Here are the issues and general information I have heard of and experienced so
far that seems to be valuable to share. If you disagree with anything I am
sharing, have found it works in a different way for you, and/or want to include
your findings and any tidbits of information you may have, please feel free to
comment.



* Hub Transport Server Role fails when IPv6 is disabled on that server

o If IPv6 is disabled prior to the installation of Exchange Server 2007, when
installing the Hub Transport Server role, your Hub Transport Server role will
fail to install

o If IPv6 is disabled after the installation of Exchange Server 2007, you may
experience some Exchange services failing to start



* Outlook Anywhere is broken under certain conditions

o Outlook Anywhere is not working for Outlook 2007 with IPv6 enabled (More
information can be found from the Microsoft site. I’m not sure if this also
happens with previous versions of Outlook. The first link refers to Outlook 2007
while the second link refers to Outlook. I would figure this would be for all
Outlook versions since RPC over HTTP proxy is not Outlook version specific. I
can’t think of anything that would cause this to fail via Outlook 2007 and not
previous versions of Outlook. But from what I’ve heard, this is definitely
happening with Outlook 2007. More information below.

o This bug consists of the fact that IPv6 is not listening on the loopback port
6004 (RPC/HTTP Proxy Service). This is causing Outlook Anywhere to fail with
Outlook 2007. Not sure if this happens with previous versions of Outlook. The
reason for this is because Server 2008 prefers communication using IPv6 over
IPv4. Since IPv6 is not listening on port 6004, Outlook Anywhere will fail.



TCP 0.0.0.0:6001 0.0.0.0:0 LISTENING

TCP 0.0.0.0:6002 0.0.0.0:0 LISTENING

TCP 0.0.0.0:6004 0.0.0.0:0 LISTENING

TCP [::]:6001 [::]:0 LISTENING

TCP [::]:6002 [::]:0 LISTENING

o People have been disabling IPv6 within the registry to ensure that IPv6 is not
active at all so Outlook Anywhere will use IPv6 which is listening on IPv6. The
problem with disabling IPv6, is if the CAS is also on the HTS, HTS will fail. So
in this case, there are several options. The first being deal with the bug. The
second being separate the CAS and the HTS so you can disable IPv6 on the CAS and
leave IPv6 on the HTS on. The third option is presented in the second URL above
which includes making some modifications to your host file.

o Microsoft has stated this has been added to the QFE list for SP2



* NTLM seems to be very buggy with Outlook Anywhere. There are lots of reports
of Outlook Anywhere NTLM Authentication not being functional when using Server
2008. More information can be found from the following URL: http://blog.aaronmarks.com/?p=65.



* There is an HP Document (http://h71028.www7.hp.com/ERC/downloads/4AA1-5675ENW.pdf)
which goes over some testing with varying network latencies using CCR over an
OC3 link with a network latency simulator. I wanted to give an overall summary
of their findings.

o 20 ms latency – All the log files were shipped over properly and all CCR
databases auto-mounted properly

o 30-40 ms latency – Some manual mounting will be required to mount all your
databases as the latency will prevent all logs to be shipped over fast enough
for automatic mounting

o 50+ ms latency – Log shipping mechanism was out of control



* In regards to SCR and the network latency topic. SCR is a manual failover
mechanism. Because of this, CCR is a lot more dependent on network latency due
to its automatic failover mechanism. Microsoft does provide recommendations on
how to tune SCR for latency on the Exchange Technet Library which can be found
here. The problem here is the article is geared for Server 2003 Networking. As
for real world SCR scenarios, I have been told that a mailbox server that
contains ~6,000 mailboxes has been successfully failed over to an SCR target
across the world over a 200 ms link.



Update 1: There has been an update in regards to NTLM Authentication issues from
the Microsoft Exchange Team Blog here.



Sid quoted the following:



As promised, here’s an update on the reprompting issue that many of you have
encountered.



The gist of the issue is that IIS7 uses kernel mode windows authentication by
default. Turning this off will fix reprompting. I will post a detailed update
once I dig through some more and talk to the IIS PD, but for now I wanted to
provide this update so you can give

it a shot and let me know if (no, “that”) it works for you.



Here’s the command that needs to be run on the CAS boxes ->



%Windows%\inetsrv\appcmd.exe set config /section:system.webServ



er/security/authentication/windowsAuthentication /useKernelMode:false



Update 2: From the same blog article in Update 1 here, you will find updated
guidance on disabling IPv6 depending on what roles you have on your server.



Microsoft Offers certifications like MCP
The Microsoft Certified Professional (MCP)
credential is for professionals who have the skills to successfully implement a
Microsoft product or technology as part of a business solution in an
organization.

 

Public IM Connectivity and Multiple SIP Domains

The main point of this article was to clear up some confusion as to how
connectivity to a PIC provider works with multiple SIP domains as PIC providers
ignore Subject Alternative Name (SAN) names in a certificate. So if we have
multiple SIP domains, how exactly do we achieve PIC federation with multiple SIP
domains? Well, read on and I’ll tell you!



Public IM Connectivity takes advantage of federation to allow users to talk with
Yahoo, MSN, and AOL. Allowing your users to communicate with these providers is
not all or nothing. You can choose to allow users to communicate with one PIC
provider, two PIC providers, or all three.



If you take a look at the OCS doumentation, it clearly states that for
Federation, you need a DNS record of _sipfederationtls._tcp.<domain>, over port
5061. <domain> will be your SIP domain. When you install an Access Edge, you
specify an External Access Edge FQDN. So let’s say our main SIP Domain is
exchange.shudnow.net. We may specify our External Access Edge FQDN as
sip.exchange.shudnow.net. So our Federation DNS record will be _sipfederationtls._tcp.shudnow.net
that points to sip.exchange.shudnow.net. This is possible because both
namespaces match up. You cannot have an SRV record point to an A record that
belongs to a different namespace.



So, what do we do for all our other SIP domains? Well, when we install the Edge,
we will specify that we have multiple SIP domains and those SIP domains get
added to the Subject Alternative Name (SAN) of the certificate. This allows us
to create different Federation DNS entries and point them to an A record that
matches the FQDN specifed in one of the SAN entries of the certificate assigned
to the Access Edge role.



But as stated earlier, PIC providers ignore SAN names. So how do we allow
federation to multiple SIP domains? These SRV records are only used for
open/enhanced federation where we want to allow domains to automatically
federate with our OCS organization. PIC does not use open/enhanced federation.
It uses something called Direct Federation which is where you specify what SIP
domains belong to a specific Access Edge FQDN.



So let’s say in my organization, I have the following SIP domains:



* exchange.shudnow.net

* sales.shudnow.net

* marketing.shudnow.net



When setting up PIC on Microsoft’s Licensing Website, you would specify that for
each of these SIP domains, that the PIC provider would use the Common Name of
the External Access Edge FQDN. This may be sip.exchange.shudnow.net. So instead
of PIC accessing the SRV records for each domain which wouldn’t work unless PIC
starts to not ignore SANs, each time it needs to communicate with a specific
domain, it will always use the Common Name of the External Access Edge FQDN.



Because of this, your SRV records are not needed unless you plan on doing
Open/Enhanced Federation. You can read more about Federation and
MCITP
70-238 Deploying Messaging Solutions
with Microsoft Exchange Server 2007 from the
Server Deployment Guide here.

Preparation Guide for Exam 70-292

Preparation Guide for Exam 70-292
Managing and Maintaining a Windows Server 2003 Environment for an MCSA Certified on Windows 2000
Updated: May 13, 2008
Related Links
Join an MCP newsgroup
Find a course
Buy a Microsoft Press book
On This Page
Exam newsExam news
Audience profileAudience profile
Credit toward certificationCredit toward certification
Preparation tools and resourcesPreparation tools and resources
Skills measuredSkills measured
Exam news




Audience profile

The Microsoft Certified Systems Administrator (MCSA) on Windows Server 2003 upgrade exam is available only to candidates who are currently certified as an MCSA or an MCSE on Microsoft Windows 2000 Server. The MCSA on Windows Server 2003 credential is intended for IT professionals who work in the typically complex computing environment of medium-sized to large companies. Candidates should have experience administering client and network operating systems in environments that have the following characteristics:


250 to 5,000 or more users


Three or more physical locations


Three or more domain controllers


Network services and resources such as messaging, database, file and print, proxy server, firewall, Internet, intranet, remote access, and client computer management


Connectivity requirements such as connecting branch offices and individual users in remote locations to the corporate network and connecting corporate networks to the Internet

Credit toward certification

When you pass the Managing and Maintaining a Windows Server 2003 Environment for an MCSA Certified on Windows 2000 exam, you do not achieve Microsoft Certified Professional (MCP) status. This exam is intended for people who are already certified as an MCSA on Windows 2000. You will earn credit toward the following certifications:


Core credit toward Microsoft Certified Systems Administrator (MCSA) on Windows Server 2003 certification


Core credit toward Microsoft Certified Systems Engineer (MCSE) on Windows Server 2003 certification

Preparation tools and resources

In addition to your hands-on experience working with the product, we recommend that you use the following tools and training to help you prepare for this exam.
Classroom training for this exam


Workshop 2209: Updating Systems Administrator Skills from Microsoft Windows 2000 to Windows Server 2003.
Microsoft Press self-paced training products


MCSA/MCSE Self-Paced Training Kit (Exams 70-292 and 70-296): Upgrading Your Certification to Microsoft Windows Server 2003
Microsoft certified practice tests


Visit the Testkingdom.com Web site to take a practice test.


Self Test Software: Visit the Self Test Software Web site to take a practice test.
Microsoft online resources


TechNet: Designed for IT professionals, this site includes how-to instructions, best practices, downloads, technical chats, and much more.


MSDN: The Microsoft Developer Network (MSDN) is a reference for developers, featuring code samples, technical articles, newsgroups, chats, and more.


Training and certification newsgroups: A newsgroup exists for every Microsoft certification. By participating in the ongoing dialogue, you take advantage of a unique opportunity to exchange ideas with and ask questions of others, including more than 750 Microsoft Most Valuable Professionals (MVPs) worldwide.

Skills measured

This exam measures your ability to manage and maintain a Windows Server 2003 environment. Before taking the exam, you should be proficient in the job skills listed in the following matrix. The matrix shows which Official Microsoft Learning Products may help you reach competency in the skills being tested in the exam.
KEY:The course provides a general introductory overview of this task. You will need to supplement the course with additional work. = The course provides a general introductory overview of this task. You will need to supplement the course with additional work. The course includes some material to prepare you for this task. You will need to supplement the course with additional work. = The course includes some material to prepare you for this task. You will need to supplement the course with additional work. The course includes material to prepare you for this task. = The course includes material to prepare you for this task.
Skills measured by Exam 70-292Workshop 2209
Managing Users, Computers, and Groups

Create and manage groups


Identify and modify the scope of a group


Find domain groups in which a user is a member


Manage group membership


Create and modify groups by using the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in


Create and modify groups by using automation


Create and manage user accounts


Create and modify user accounts by using the Active Directory Users and Computers MMC snap-in


Create and modify user accounts by using automation


Import user accounts


Troubleshoot user authentication issues


Managing and Maintaining Access to Resources

Troubleshoot Terminal Services


Diagnose and resolve issues related to Terminal Services security


Diagnose and resolve issues related to client access to Terminal Services


Managing and Maintaining a Server Environment

Manage software update infrastructure


Manage servers remotely


Manage a server by using Remote Assistance


Manage a server by using Terminal Services remote administration mode


Manage a server by using available support tools


Manage a Web server


Manage Internet Information Services (IIS)


Manage security for IIS


Managing and Implementing Disaster Recovery

Perform system recovery for a server


Implement Automated System Recovery (ASR)


Restore data from shadow copy volumes


Back up files and System State data to media


Configure security for backup operations


Implementing, Managing, and Maintaining Name Resolution

Install and configure the DNS Server service


Configure DNS server options


Configure DNS zone options


Configure DNS forwarding


Manage DNS


Manage DNS zone settings


Manage DNS record settings


Manage DNS server options


Implementing, Managing, and Maintaining Network Security

Implement secure network administration procedures


Implement security baseline settings and audit security settings by using security templates


Implement the principle of least privilege


Install and configure software update infrastructure


Install and configure software update services


Install and configure automatic client update settings


Configure software updates on earlier operating systems