70-292: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000
70-292 Exam Study Notes
Update (Sep '07): Fleshed out the IIS section, added a link to other notes and fixed a dozen links to Microsoft articles.
Update (Jun '06): Added a diagram for easy memorization of the group scope conversion and nesting restrictions. Thanks to Jason Boche for this submission!
Update (May '06): Created a local copy of the VBScript primer (thanks to Microsoft's Tim Mintner for the permission!) and changed the link.
About These Notes
While studying for the 70-292 exam, I took pages of notes. Instead of throwing them away, now that I've passed, I've decided to put them online in hopes that they'll help others legitimately pass this difficult exam. Many of the topics and minutiae ended up not being tested on (can't hurt to overstudy), so I trimmed them out. What's left are the areas that you really need to know and study further (for which I've provided dozens of links to point you in the right direction).
My hope is that this page will become one of your better study resources (after your book, of course); however, I strongly recommend reading your book first, if you haven't already. Follow that up by studying all of the notes here and studying all of the pages that I've linked to (very important). That'll go a long way in preparing you for the exam, I would imagine.
I hope that these notes prove helpful to you and good luck on the exam!
General Advice
70-292 apparently used to be an easy enough exam. Microsoft realized this and came out with a new version around Dec '04. They trimmed the number of questions from 56 to 40 and made the whole thing much more difficult. How lucky for you and me, then, that we didn't get around to it until now [frown].
70-292 can now be a nightmare, even for the experienced 2000/2003 admin. Many, many knowledgeable people who have 10+ years experience and had never failed an exam before have bitten it on 70-292. Doing a usenet search on it reads like a train wreck. If you haven't taken it before, don't under-estimate its difficulty and don't be discouraged if you fail the first time.
If you've already failed it, you are definitely not alone. Either way, here are some horror stories of 70-292. May they serve warning to the over-confident and comfort to the frustrated:
I'm not trying to scare you away. I just want you to know what you're getting into so that you can take it seriously and pass on the first try. I feel that you have a good leg-up and chance of passing if you study these notes thoroughly, as well as the website articles that I refer to.
I used the Microsoft 70-292/70-296 Training Kit (excellent book, by the way!), but realize that that, alone, is not enough to pass. I suggest getting that book, reading it cover to cover, doing all of the questions on the practice CD, studying all of my notes here and studying all of the websites that I've linked to. That will probably be enough to pass, as long as you have some good 2000/2003 experience under your belt. If you don't have access to Windows Server 2003 while you study, definitely grab a free copy of Windows Server 2003 Trial Software (fully-functional use for 180 days), as well as Microsoft Virtual PC 2004 Trial Edition (fully-functional for 45 days) if you don't have a computer to install it on.
I also used the practice exam that comes on CD with the book and Redmond's 70-292 practice exam. Both are fairly good, but be warned that, of the 163 questions on the Redmond exam, only about 120 cover material on the test. If that's worth $29 to you, though, great.
As you may or may not know, 70-292's material is taken from 70-290 and 70-291. Study materials (study guides, practice questions, etc.) for these tests can help you prepare for 70-292. I just recommend, however, that you look at them only once you know the topics to expect on the exam, since not all topics from 70-290 and 70-291 apply to 70-292.
This is an extremely difficult exam, so you may fail the first time. My main pieces of advice are:
- See if Microsoft is offering their "Second Shot" (free re-take) promotion and take advantage of it (even if you think that you'll pass. There's no reason not to, since you can use it more than once. You must sign up with Microsoft and use the special promotion code when scheduling your first sitting in order to be eligible to re-take it free (should you fail).
- Consider taking your own notes while studying. Writing things down helps the memorization process. Besides, it's possible that a topic that I know well and didn't think to include is one that you may not be so strong in.
- Print these notes out and carry them with you (along with your own notes) on the day of the exam. Go over them on breaks, in the car and, most importantly, immediately before walking into the exam room (leave them outside, of course). For the most part, I've designed them to be succint and memorizable.
- Bring a pen with you and, should you fail the exam, as soon as you leave the testing center, write down (on the back of the printout or paper that you brought with you) everything from the exam that you can remember, especially questions and answers that you weren't sure of. Spend a good 15-30 minutes. You won't recall much even a few hours later, unless you have a better memory than I do. It really, really helps if you made good use of the "Select for Review" checkboxes while taking the test, since it means that all of the questions and answers that you weren't sure of are the freshest things in your mind when you leave the testing center. Use everything that you wrote down as the basis for your re-take studying.
Finally, I know that this is getting ahead of oneself, but you should consider taking 70-296 very shortly after 70-292. What you're learning for 70-292 is 90% of what you need to know to pass 70-296. Take it within a few weeks of passing 70-292 and get it out of the way while 90% of the knowledge to pass it is still in your short-term memory.
Exam Format
Format: Multiple-choice, drag-and-drop, hotspot, etc.
Questions: 40 (no longer 56)
Time Limit: 120 minutes (+20 minutes for comments and reading the pre-exam disclaimers)
Passing score: 700
Resources
Microsoft Preparation Guide for 70-292 -- List of exam objectives.
Dave's Notes for Exam 70-292 -- Excellent notes similar to mine (in fact, his served as a model for my own). Some of the things that he covers, I chose not to cover, so as not to duplicate. Mandatory reading, IMO.
Bloated Lizard's Notes for 70-292 -- Very exhaustive run-down of just about every feature, tool and setting that could be covered on the exam.
Microsoft Windows Server 2003 Tech Center - A lot of information here, but if you read it A-Z, it'll provide a lot of answers for what you'll find on the exam.
Tom Kitta's Preparation Guide for 70-290 -- Very good dictionary of terms. As you may know, 70-292 takes its material from 70-290 and 70-291, so half of the material here is applicable to 70-292. The most applicable sections are 1.7-8, 2.12, 2.18, 3.3-4, 3.12, 3.16, 3.20-28, 4.12-13, 4.15-20, 5.11, 5.13, 5.15, 6.2, 6.5-13, 7.3-4, 7.6.
Tom Kitta's Preparation Guide for 70-291 -- Same as above. The most applicable sections are all of Part 3 and 6.2, 6.7 & 6.8.
Retail 70-292 practice exams:
- RedmondExams ($29)
- MeasureUp ($71)
- PrepLogic ($89)
- SelfTest Software ($109)
- Transcender ($199)
Forums and newsgroups that cover 70-292:
Study Notes
DNSClick to Minimize
Server Options
BIND Secondaries (enabled by default) disables "fast transfer format" and must be enabled for DNS servers running BIND 4.9.2 or earlier to perform zone transfers with 2000/2003 servers.
Netmask Ordering orders the list of IP addresses for records with multiple addresses based on how they match the address of the requesting client. For example, if the name "www" is mapped to three different addresses, the client would be directed to the one closest to his subnet.
Enable Round Robin balances server load by re-ordering the address list for each subsequent request. For example, if the name "www" is mapped to three different addresses, the first client would get the first address, the second would get the second, etc.. Netmask Ordering takes precedence if both are enabled.
Disable Recursion breaks the regular server-client interaction by forcing the client to do its own iterative queries. Enabling it disables forwarding (for obvious reasons).
Setting another DNS server as a forwarder means sending that server recursive queries, instead of the normal iterative ones.
A server configured for forwarding always checks its authoritative zones and cached data before forwarding.
Conditional forwarding is forwarding based on domain name. Microsoft intends for you to use it only to overcome design problems that traditional forwarding can't solve. One situation in which it is useful is in perimeter (DMZ) networks. Instead of allowing traditional forwarding to send queries out to the internet, only to have some come back, use conditional forwarding to send queries for the internal domain directly there.
Article: Windows Networking - DNS Conditional Forwarding in Windows Server 2003 -- Good overview of conditional forwarding.
Zone Options
Aging/Scavenging cleans up old DNS records left by devices (especially portable devices, such as laptops) that frequently change IP addresses. It needs to be enabled on both the server and the zone. Dynamic updates does not alleviate the need for aging/scavenging.
Know what the Start of Authority (SOA) defaults are for Refresh interval, Retry interval, Expires after and Minimum TTL. You may be asked to make a change to one of these values. If you don't know what the defaults are, you'll have no clue what the effect of the change will be.
To replicate DNS zones to Windows 2000, you must replicate "To All Domain Controllers in the Active Directory Domain." This is because 2000 does not support application directory partitions (used by the two other options that begin with "To All DNS Servers...").
The Notify page (accessible from the Zone Transfers tab) is for notifying secondary zones of updates. It is not used for AD-integrated zones, since they do their own polling.
Stub Zones
Stub zones provide parent zones with name server list updates from child zones and facilitate name resolution across domains (think of it kind of like a shortcut trust).
Stub zones improve name resolution and reduce zone transfers, but provide no redundancy.
Converting some of your secondary servers to stub zones is a good way to reduce zone transfer traffic, at the expense of redundancy. Microsoft is keen on you knowing this.
Stub zones are really useful for disjointed namespaces (forests with two or more top-level DNS domain names). For example, if your forest contained wingnuts.com and wingnutsarecool.com, stub zones would be perfect to keep each domain abreast of the name servers in the other.
Stub zones vs. conditional forwarding. First, they do serve the same ultimate function, but you should know the key differences:
Best reason for stub zones: they don't require maintenance. Let's say that your partner company makes a change to their DNS (ex. change of IP address), and, as is often the case, forgets to inform you about it. What happens? Well, if you're using conditional forwarding to direct requests to the partner's domain, those requests are going to start failing and you're not going to know why. If, instead, though, you are using stub zones instead of conditional forwarding, the new DNS info will be transferred automatically from the partner to you, resulting in no downtime; you wouldn't even realize that the partner made any change. That's one of the best cases of where stub zones are a better choice than conditional forwarding.
Another two reasons for stub zones: optimization and low processor utilization. Lists of forwarders take time to read and can be, consequently, processor-intensive, especially for long lists. Stub zones don't suffer from this.
So, if stub zones do what conditional forwarding does, only better, then when would you ever use conditional forwarding? It's hard to get a straight answer on this, but I think that it boils down to simplicity: forwarding is slightly easier to set up and may be more practical in some situations. That's my theory, anyways. What the experts seem to agree on, though, is that stub zones are almost always the better option and conditional forwarding should be used only when it's the most practical. I wouldn't worry much, however, since Microsoft seems to be more keen on you knowing stub zones vs. secondary zones and conditional forwarding vs. normal forwarding, rather than how the two new features stack up against each other.
Article: Windows Networking - DNS Stub Zones in Windows Server 2003 -- Good overview of stub zones. Also see his article on conditional forwarding above.
Article: RedmondMag - The Long and Short of Stub Zones -- Good coverage of how stub zones work.
Article: Microsoft Support WebCast - Microsoft Windows Server 2003 Stub Zones and Conditional Forwarding -- Good, long, personable read if stub zones and when to use them over conditional forwarding are a little confusing to you.
Primary/Secondary Zones
Secondary zones and their contents are read-only, so all zone and record modification must be done on the primary servers. Keep this in mind if a secondary zone needs a change made.
Reload From Master will copy the whole zone from the master immediately. Transfer From Master will copy only the changes once replication occurs (ie. not immediately). Reload (not for AD-integrated zones) will re-copy the zone from its local cache.
Note: Transfer From Master is for routine updating. Use Reload From Master, instead, if there's a more serious issue, such as if the zone becomes corrupt or has expired.
Note: Transfer From Master is for routine updating. Use Reload From Master, instead, if there's a more serious issue, such as if the zone becomes corrupt or has expired.
Use secondary zones for purposes of redundancy and proximity to lots of users. If there is only a handful of users in a branch office, caching-only servers, stub zones or forwarding should be used, instead.
To integrate a BIND DNS server into an AD infrastructure, configure it as a secondary DNS server.
Troubleshooting
Restarting the Net Logon service will re-register that server's SRV records with the DNS server!
If the DNS simple test fails, verify that a record named "1" (from 127.0.0.1) exists in the reverse lookup zone 0.0.127.in-addr.arpa. If the recursive test fails, check that the root hints are configured correctly and that the server can reach them.
A DNS server that hosts a zone named "." is a root server and, thus, cannot resolve names from the internet. Delete that zone to allow internet name resolution.
On a root server, delete the file cache.dns (which contains root hints) to accelerate name resolution.
If you cannot ping a computer by name, run ipconfig /registerdns on that computer or add the resource record manually.
Other
Know WINS Lookup.
Know DNS Suffixes and the easiest way to configure clients with them.
To deploy Active Directory with the least administrative effort, install your first DNS domains in Windows to facilitate creation of SRV records.
A DNS server that hosts no zones is called a caching-only server. Use when you want to minimize resolution traffic over a WAN without increasing zone transfer traffic.
DNSUpdateProxy security group - Add DHCP servers that register records on behalf of down-level clients to this group to prevent record ownership issues.
Article: Microsoft Documentation - How DNS Works -- A very comprehensive guide on DNS by Microsoft that should, certainly, be able to answer any DNS questions that you may have. Particularly, it's a must-read for those who aren't strong in DNS fundamentals, but advanced users definitely take a look, as well. There's a lot of good information in there.
Terminal ServicesClick to Minimize
For a Terminal Services connection to be established:
1) Remote Desktop must be enabled in the System properties on the server.
2) The user must be a member of the Remote Desktop Users group (Domain Local in AD if the server is a domain controller, Local if a workstation or member server).
3) A policy granting Allow Logon Through Terminal Services user right to the Remote Desktop Users group must apply to the server.
4) The user's account properties must have Allow Logon to Terminal Server enabled.
1) Remote Desktop must be enabled in the System properties on the server.
2) The user must be a member of the Remote Desktop Users group (Domain Local in AD if the server is a domain controller, Local if a workstation or member server).
3) A policy granting Allow Logon Through Terminal Services user right to the Remote Desktop Users group must apply to the server.
4) The user's account properties must have Allow Logon to Terminal Server enabled.
Terminal Services settings use the following precedence: 1) Computer GPOs 2) User GPOs 3) RDP-Tcp server settings 4) User account settings 5) Client settings
Remember, mainly, that GPOs trump RDP-Tcp settings which trump everything else.
Remember, mainly, that GPOs trump RDP-Tcp settings which trump everything else.
The Terminal Services Configuration console is where the RDP-Tcp settings are. Just understand that in case a question asks about either.
In the absence of a Terminal Services Licensing server, 120-day temporary client access licenses will be issued to all connecting clients. If all clients can suddenly no longer connect, check that a Licensing Server is installed.
TS Licensing Servers in Domain License Server mode can provide licenses only to members of the same domain! Domain License Server mode does not require Active Directory, so they can exist in non-AD domains.
TS Licensing Servers in Enterprise License Server mode can provide licenses to any 2003 or 2000 domains in the same site. Microsoft Documentation - Terminal Server License Server Roles
TS Licensing Servers in Enterprise License Server mode can provide licenses to any 2003 or 2000 domains in the same site. Microsoft Documentation - Terminal Server License Server Roles
Client disk mapping and 128-bit encryption are two big, new features in Remote Desktop Connection.
Configuring the encryption level in the RDP-Tcp properties to "Client Compatible," "FIPS Compliant" or "High" will secure communications to and from.
Note: Changing the encryption level will have no effect if "System Cryptography: Use FIPS..." is enabled in a group or local policy.
Note: Changing the encryption level will have no effect if "System Cryptography: Use FIPS..." is enabled in a group or local policy.
change user /install switches to installation mode.
change user /execute switches to application mode.
change logon /disable disables new connections. change logon /enable enables new connections.
change logon /disable disables new connections. change logon /enable enables new connections.
Upgrading a Terminal Server from 2000 to 2003 might break some legacy applications because the default 2003 TS security level, Full Security, restricts file and registry changes. Change to Relaxed Security in that case.
Know the Terminal Services command-line session management tools (syntax not required, just purpose):
Tscon.exe attaches a user session to a previously connected Terminal Server session.
Tsdiscon.exe disconnects an active Terminal Server session.
Tsshutdn.exe shuts down a Terminal Server in a controlled manner.
Tskill.exe ends an active process and/or processes on a selected server.
Tscon.exe attaches a user session to a previously connected Terminal Server session.
Tsdiscon.exe disconnects an active Terminal Server session.
Tsshutdn.exe shuts down a Terminal Server in a controlled manner.
Tskill.exe ends an active process and/or processes on a selected server.
Active DirectoryClick to Minimize
Creating and Modifying Accounts
When possible, it is a "best practice" to use templates when creating multiple accounts and to select multiple accounts when modifying.
Know which user properties can be configured when multiple accounts are selected! They include the General, Account, Address, Profile and Organization tabs.
Know that the settings that are inherited from template copying are the same as above, plus group membership.
Make note that every single account setting that has anything to do with remote connection must be configured one user account at a time!
Know that the settings that are inherited from template copying are the same as above, plus group membership.
Make note that every single account setting that has anything to do with remote connection must be configured one user account at a time!
Resetting passwords and renaming accounts also can only be done one user at a time.
Csvde.exe cannot be used to modify accounts (only create them) and cannot add passwords.
Dsquery.exe returns objects that meet a search criteria.
Dsget.exe returns properties for a specified object.
Dsadd.exe adds objects to Active Directory.
Dsrm.exe removes objects from Active Directory.
Dsmod.exe modifies objects in Active Directory. This includes adding users to groups.
Dsmove.exe moves objects in Active Directory.
Dsget.exe returns properties for a specified object.
Dsadd.exe adds objects to Active Directory.
Dsrm.exe removes objects from Active Directory.
Dsmod.exe modifies objects in Active Directory. This includes adding users to groups.
Dsmove.exe moves objects in Active Directory.
Security Groups
Local groups on member servers become Domain Local groups in Active Directory when they are promoted to domain controllers. Because of this, member servers cannot use Domain Local groups and domain controllers cannot use Local groups. This is basic info, but it deserves mentioning because, like caterpillars and butterflies, it's easy to think of them as two distinct entities when they really aren't.
Know the group conversion and nesting restrictions. Many thanks to Jason Boche for the following diagram.
Simple explanation: arrows represent possible conversions and subscripts represent possible nestings.
Click on the diagram for a full explanation (also thanks to Jason).
Global groups cannot be converted to Domain Local unless they are converted to Universal first.
Windows 2003 Interim mode does not support domain controllers running 2000.
To find all groups that a user is a member of, including nested groups, use dsget.exe user [UserDN] -memberof -expand
Access
A best practice for administrators is to log in with regular user accounts and use RunAs for admin access! RunAs requires the Secondary Logon Service to be running.
Know the privileges of the different built-in groups (Backup Operators, Administrators, Server Operators, etc.).
Allowed to Authenticate is a new access control (ACL) right to allow users in other domains to access a particular object or service on the computer.
Permissions grant users levels of access to shared network resources; rights represent domain/forest abilities. Permissions are the stuff of Access Control Lists (ACLs); rights are the stuff of group/system policies. I know that this is really basic stuff, but it helps to clarify, since it can be a bit confusing sometimes.
Understand UPN Suffixes and Pre-Windows 2000 logon names and how and why they can affect your ability to log on from other domains.
Group Policy Settings
Audit account logon events is for domain controllers. It audits when users log onto their workstations with domain accounts.
Audit logon events is for all computers, but usually workstations. It audits when users log on with local accounts.
Audit logon events is for all computers, but usually workstations. It audits when users log on with local accounts.
Audit object access audits when files, folders, printers and the registry are accessed. Know all four!
WMI filtering can be used to limit the scope of a group policy to certain computers (ex. install this application only if at least 256MB of RAM is present).
Software Restriction Policies are applied with the following precedence: 1) hash rule 2) certificate rule (scripts and Windows Installer) 3) path rule 4) internet zone rule (Windows Installer only)
Know the key characteristics of the four different Software Restriction Policies and when to use each. Most important to know is that hash rules shouldn't be used if the file needs to be modifiable.
Know how to enable/disable Encrypting File System (EFS) and the best way to deploy it.
Loopback Processing Mode can be used to restrict user settings on highly-managed computers. It does this by processing and applying the User Configuration section (in addition to Computer Configuration) of a computer-targeted group policy.
Administration Tools
The 2003 Admin Tools can be installed only on 2003 and XP SP1 machines (so no 2000).
The 2003 Admin Tools require SP3 to be installed on 2000 domain controllers in order to connect to them. This is because the 2003 tools, by default, require encrypted LDAP communications, a feature not available to 2000 until SP3. If you cannot connect to a 2000 server with the 2003 tools, check that that server has SP3.
Disaster RecoveryClick to Minimize
Automated System Recovery
The ASR restoration process involves booting with the Windows Server 2003 CD, hitting F2 and then inserting a floppy disk. It will create an ASR backup set (a large file with your Windows configuration) and an ASR floppy disk.
An ASR floppy disk contains only two files, asr.sif and asrpnp.sif, and is, therefore, not bootable.
A replacement ASR floppy disk can be made at any time by restoring the two files from the %systemroot%\repair folder in the ASR backup set.
Automated System Recovery is a last resort, to be used in the event that Windows does not even boot.
ASR does not backup personal data files... only the Windows configuration (disk configuration, System State, etc.).
ASR will not backup to CD or DVD. In such a case, backup to a hard drive and then burn to disc.
Backup
The System State on a domain controller must be restored from Directory Services Restore Mode. This mode (accessed by hitting F8 at the boot menu) loads Windows in all its GUI glory, except without Active Directory. This is very different than the Recovery Console, which simply loads a DOS-like environment.
System State components cannot be backed up or restored individually!
Normal backups are the slowest to backup, the fastest to restore (requires messing with only one tape) and use the most tape per backup. Differential backups come next in each of those categories, followed by Incremental backups (which, thus, are fastest to backup, slowest to restore and use the least tape).
A "Normal" (non-authoritative) restore restores data and allows replication to bring all data up to date.
An authoritative restore is a Normal restore followed by running Ntdsutil.exe to increment the restored data that should not be overwritten by replication. This is used to roll back changes.
A "Primary" restore is used when all domain controllers fail. Perform a Primary restore on the first domain controller and then Normal restores on the rest.
The Backup utility forces the backup type to Copy when the System State is selected for backup.
Volume Shadow CopiesClick to Minimize
Volume Shadow Copies requires two things: 1) that it be enabled at the volume level, and 2) that clients wishing to use it have the Previous Versions client app installed.
Volume Shadow Copies cannot be enabled on folders, files or shares. It can be enabled only on the entire volume.
The Previous Versions client app can be installed from %systemroot%\system32\clients\twclient\twclient.msi. Note the filename. Don't confuse twclient.msi, the client for Previous Versions, with tsclient.msi, the client for Terminal Services!
Previous Versions restores files without any of the file permissions of the original file unless the previous version overwrites the original.
To restore a previous version, you must access the share's properties. This is already happening when working over the network, but working at the server's console will require you to explicitly access the share (ex. \\localhost\c$ instead of C:\).
To restore a previous version that was deleted, access the Previous Versions tab in the parent folder's properties. This is obvious when you think about it, since you cannot access properties for a file/folder that no longer exists.
Storing a shadow copy on a separate volume is a valid method of providing a quick means of data recovery.
In order to roll back a change, restore the previous version dated just before the change. I know that may sound obvious, but it's easy to over-analyze it, since the previous version actually isn't added to the list until after the change is made.
The Volume Shadow Copy Service (VSS) allows backing up open or locked files. Running ntbackup.exe with the /SNAP parameter will enable VSS during backup.
SUSClick to Minimize
You need to know SUS (with SP1) for this exam. WSUS (aka SUS 2.0) is not tested and does not need to be known. Knowing WSUS is not a substitute for SUS; they are very different.
SUS can connect to Microsoft through a proxy, even though Automatic Updates on the clients cannot. Configure AU clients to retrieve updates from the SUS server.
SUS requires XP clients to have SP1 installed and 2000 clients to have SP3 installed.
I recommend that you deploy SUS in a test or production network prior to taking the exam. You can download SUS (with SP1) here.
Running "WMIC.exe QFE" will list all updates installed on the computer.
IISClick to Minimize
Know how to enable Web Folders (Microsoft's term for WebDAV). WindowsNetworking - Using WebDAV with IIS
Know how to enable Internet Printing. Note that the /printers/ virtual directory is created automatically. Windows IT Pro - Enable Internet Printing Under IIS
The iisback.vbs script (in Windows\system32) can be used to backup and restore a website's settings. Microsoft Documentation - IIsback.vbs IIS backup management tool
The Remote Administration (HTML) tool allows remote administering of a server by browsing to https://servername:8098 (note the secure protocol and the port number).
Advanced Digest authentication requires both the web server and the domain controller to be 2003.
MiscellaneousClick to Minimize
Know the function and settings of the Microsoft Baseline Security Analyzer (MBSA) and its command-line version, mbsacli.exe! WindowsNetworking - Microsoft Security Baseline Analyzer
The Security Templates MMC snap-in is for modifying security templates; the Security Configuration and Analysis Tool is used to apply templates and compare them to current or baseline settings.
Secedit.exe is the only way to apply just part of a security template to a computer.
Know the key security templates
Securews.inf - sends only NTLMv2 responses; requests SMB signing.
Securedc.inf - accepts only NTLM and NTLMv2 responses; requests SMB signing.
Hisecws.inf - sends only NTLMv2 responses; requires SMB signing and encryption for secure channel data.
Hisecdc.inf - accepts only NTLMv2 responses; requires SMB signing and encryption for secure channel data.
Setup Security.inf, DC Security.inf and Basic*.inf are all used only to revert back to the original settings, not to increase security.
Note: *ws.inf templates are for workstations and member servers; *dc.inf templates are for domain controllers only.
Securews.inf - sends only NTLMv2 responses; requests SMB signing.
Securedc.inf - accepts only NTLM and NTLMv2 responses; requests SMB signing.
Hisecws.inf - sends only NTLMv2 responses; requires SMB signing and encryption for secure channel data.
Hisecdc.inf - accepts only NTLMv2 responses; requires SMB signing and encryption for secure channel data.
Setup Security.inf, DC Security.inf and Basic*.inf are all used only to revert back to the original settings, not to increase security.
Note: *ws.inf templates are for workstations and member servers; *dc.inf templates are for domain controllers only.
Know the two ways to display limited results in Event Viewer. You'll find them in the View menu. Know the difference.
Know how to create and enable users and groups in Active Directory using VBScript! I suggest taking a close look at code that does that and using a programmer's eye to understand what's going on. Here's a great primer on the subject. Everything that you need to know is there. Another article that may help is here (thanks, Steven!)
Know the SysKey utility (syskey.exe) and its three options: Microsoft Documentation - How to use the SysKey utility...
You don't need to know everything about IPsec and Certificates (primarily 70-296 topics), but it'd be wise to know a little about them, since they can be mentioned. If you're using a combined 70-292/70-296 book (like Microsoft's), skim the chapters in your book just to be safe.
Article: Redmond - Trust in Windows Server 2003 -- Mostly 70-296 issues, but having a better understanding can help a bit with 70-292.