So much to study
...so little time. I've one week until 70-293 (aagh)

A few topics I need to brush up on:
* VPNs, RRAS etc. - quite weak on this...
* Auto-enrollment - Got the computers to autoenrolling. But a bit more reading needed.
* Subnetting - More practice needed.
* CA - Could do with more study on this too...

Haven't much time to read up or look for new stuff online but John Saville's has an excellent Windows NT 2000 / 2003 FAQ that's well worth bookmarking.

More Clustering
Got clustering sorted. It's NLB only more so...

A VMware Clustering Recipe

One thing is that a SCSI driver is needed:
Using the VMware SCSI Disk Driver for Windows Guest Operating Systems

Also got the secondary DNS working. I'd missed something basic - I hadn't allowed zone transfers!
Also fixed CLIENT2 with a 172.16.x.x address to check out if a user can log onto the domain while SERVER3 (FSMO) is shut down. Worked fine - strange as I don't remember making SERVER5 a Global Catalog...

No wonder I had problems with autoenrollment. Apparently I need my CA set up on Enterprise Edition (see Serverwatch)

New Servers
Three new servers added into the mix. SERVER8 has to been configured as a sacrificial lamb (baa) for ASR etc. Also added SERVER9 and SERVER10 (both Enterprise Edition) which will be used for clustering.

Setting up clustering with VMWare:
Cnet Article
Rob Bastiaansen's site
Certtutor Article

Things to Practice
Auto-enrollment. NLB, Clustering, Security Templates, Subnetting (ugh), Secondary CA, Secondary DNS (yeah right). 11pm Saturday night - I think it's time for a beer. :)

NLB
We have converged! Got NLB working with two new servers - SERVER6 and SERVER7. Used the W2K3 Enterprise Edition demo that comes with the MS Press books.

SERVER 6 - 10.0.0.11, Class A sub, DNS server: 10.0.0.1
SERVER 7 - 10.0.0.12, Class A sub, DNS server: 10.0.0.1

Installed IIS on both. Create a simple web page ("Hello World1" on SERVER6 and "Hello World2" on SERVER 7...I'll explain reasoning later).

Added host records on SERVER3 (I still like to think SERVER3 as my "PDC" it's the role holder of all FSMO, it has AD integrated DNS zones) for SERVER 6 and SERVER7. Also added a host RR named www with IP 10.0.0.100, also PTR RR for same.

Setting up the cluster: start on SERVER6 by adding a new cluster in NLB manager on of 10.0.0.100
Then add SERVER7 as a host. ("Converged" is good. Red Xs are baaaad).

Then on SERVER 7: connect to existing cluster. Then add SERVER7 as a host.

Test it out by entering www.matrix.com in a browser - this is the cool bit! Either the "Hello World1" on SERVER6 *OR* the "Hello World2" on SERVER7 will display. That was the point of creating two slightly different web pages...you can tell visually if NLB is working or not.

OK, so that's NLB done. Might do some more messing around with it but next trick is to remove NLB and add a full cluster. Apparently I need a virtual SCSI disk for this.

IpSec
IPsec (is it pronounced "IP SEC" or "IP (note the pause) SEC"? Anyway, it's working between my laptop and desktop with pre-shared keys (also limited it to just to telnet!) but in the matrix.com I still issues.

Had a fun time with IPsec between DCs. Assigned the policy and testing by pinging. No luck. So I deleted the ploicy. Big mistake! The policy is then cached. This is where the Ipsec Monitor snap-in, a report only tool, comes in useful. After consulting the built-in help files it turns out that the tricl is to unassign the ploisy THEN delete it. After loads of GPUPATE, replication, multiple reboots and tearing out still-remaining hairs I copped the answer. As I'd erronously assigned the policy as the Default Domain Policy (oops) - Ipsec Monitor told me so - I assigned a new policy (all traffic to CLIENT2). The thing is: only ONE POLICY can be assigned at a time! So that's it: assigning a meaningless policy will get rid of a disastrous one!

This autoenrollment is a bit tricky. I thought the problem lay with adding in SERVER4 (Enterprise CA) to a Cert Publishers Group but it's already in there! I'd like to set up users with certs automatically - I can do it via a browser but that means logging in a a user... Problem is probably a permissions thing. Will investigate further.

And Finally...
Also, haven't looked at adding the secondary DNS for SERVER5 for a while....
In other news my 70-293 exam is booked for April 7th, 12 noon. Yup, it's High Noon...

DNS Woes
Still no joy setting up second DNS server. Here's the lab set-up:

I've AD-integrated DNS and have implemented Sites on two subnets. The current setup is fine but I want to add a second DNS server to the mix. Here's the setup, all 2003 Servers, single domain.

Site#1 - 10.0.0.0 with SERVER1 as DC
Site#2 - 172.16.0.0 with SERVER3 as DC

SERVER1 hold all FSMO roles, IP = 10.0.0.1
SERVER2 is configured as with RRAS, two NICS with IP = 10.0.0.2 & IP = 172.16.0.1
SERVER3 is a DC (IP = 172.16.0.2)
(the default subnet masks are used)

SERVER1 points to itself for DNS and has a default gateway of 10.0.0.2
SERVER3 points to SERVER1 for DNS and has a default gateway of 10.0.0.2

Everything's fine with the above setup - GPOs processing, replication is good, no red Xs in Event Viewer etc.
When I ran DCPROMO on SERVER3 the NS and A records were automatically created in the forward lookup zone on SERVER1

Now I need SERVER3 to be able to resolve 172.16.0.0 addresses for Site #2....
...to be continued

IPSec
IPSec - it's a W2K paper but I can't find one on W2K3
More on IPSec...
Step-by-Step Guide to Internet Protocol Security (IPSec) ...recommended
Exploring Peer-to-Peer IPSec in Windows 2000
Using IPSec to Lock Down a Server...wasn't that guy in Zoolander? ;)
HOW TO: Use IPSec Monitor in Windows Server 2003

An A+ certified buddy, asked for some advice - he's starting on his MCSE 2003 path.

Here's a copy of the "So you want to be an MCSE" rules:
Rule #1 - Set up a lab and practice, practice, practice
Rule #2 - Study, study, study
Rule #3 - Forget you have a life.
Rule #4 - Goto Rule #1

For 2003 Server the
Windows 2003 Server Home Page is probably one of the best places to start...

Apart from the usual www.microsoft.com and Google/Google Groups, a few more links:
Your MCSE lab
Cheapskate's Guide to Guilt-Free Practice Questions
Daniel's MCSE articles
Lots more links at: iCertify.net

Sites established for the domain (matrix.com) - next step is to add a DNS server at site #2.

Clustering
Clustering Services
Guide to Creating and Configuring a Server Cluster under Windows Server 2003

Cool! Set up RRAS on a W2K3 server (SERVER4) that sits between my FSMO (SERVER3) and child domain controller (SERVER5). Deleted the child domain by running DCPROMO, rebooted and DCPROMO-ed again to a 2nd DC in the domain. Next step is to set up sites.

Procedure: SERVER4 was configured with two static routes. Step uno was to add a 2nd NIC, set IP addy (172.16.0.1,sub "B"), no default gateway. (Already had a NIC with IP addy of 10.0.0.2, sub "A")
Run RRAS wizard - choose custom, LAN routing. Add a static route for 10.0.0.0 to route to 10.0.0.2 and second static route for 172.16.0.0 to route to 172.16.0.1.

Also set SERVER3 (single NIC, IP addy 10.0.0.1) default gateway to 10.0.0.2. Same with SERVER5 which has IP addy 172.16.0.3) default gateway to 172.16.0.1. It was a lot easier to set up that I thought!

- Windows Server 2003 Support Center...excellent! KBs, How-tos, webcasts etc.
- Easy to understand guide on subnetting which means I won't have to rely as much on Solar Winds Subnet Calc

Good places to start:
Windows Server 2003 Technical Articles
2003 Server How-Tos

RRAS / VPN:
Securing Remote Access
Virtual Private Networking with Windows Server 2003: An Example Deployment
Step-by-Step Guide for Setting Up VPN-based Remote Access in a Test Lab
Remote access policies examples
The Cable Guy - January 2003 (PPTP)

Good detail on important concepts:
How DNS works
How TCP/IP works
What Are Domain and Forest Trusts?
How Domain and Forest Trusts Work
MS W2K3 chat archive

Reading up on NLB:
NLB Troubleshooting Overview for Windows Server 2003
NLB FAQ

Daniel Petri's MCSE World has 50 easy to read MCSE articles

Snapfiles.com has lots of cool (and free) networking toys including snifffers.

Passed 70-292 this morning, 9am start: no score but there were those bars indicating how strong you are in each area. Loads of DNS Qs of course- a lot of basic questions on the new features of W2K3: SUS, Shadow Volumes and IIS. Also new DNS features on W2K3 as well - stub zones and conditional forwarding.
Pretty much what is stated on the official objectives.

I though some of the questions were pretty daft and badly worded but that's always the way.
So I'm MCSA 2003 now. Anyhoo. Onwards and upwards: next victim is 70-293.

Tomorrow's the day. Pass or...dare I mention the alternative!, these are useful overviews:

Dave’s Notes on Exam 70-292
Bowulf's blog on 70-292
...think I know this guy from mcseworld.com
Certcities review of 70-292
Techrepublic review of 70-292

OK, so got a child domain up and running (neo.matrix.com) next step is to delegate the DNS zone...

2000trainers.com Windows Server 2003 articles

Got DSADD working!

dsadd user "CN=Darth Maul,OU=SithOU,DC=matrix,DC=com" -samid DARTHMAUL -upn darthmaul@matrix.com -fn Darth -ln Maul -pwd StarWars1@ -mustchpwd no -memberof "CN=SithGrp,DC=matrix,DC=com"

So Darth Maul is added to the SithOU and is a member of the Sith Group in matrix.com

More linkies:
Things to do in a lab
More things to do in a lab
- from mcpmag.com

Index of Windows Server 2003 Technical Articles
- from MS

This is my first blog (blush!) so please be gentle on me...

Passed 70-218 so now I'm MCSA! Onto the MCSA 2003 - exam 70-292. Nice to see command line making an impact in the W2K3 world:


Windows Server 2003 Command-Line Utilities
- from winetmag.com

Command Line Tools for Windows Server 2003, Overview
- from serverwatch.com