1. You are assigning the newest member of your staff responsibility for a new file server
running Windows Server 2003. He will be an Administrator on the server, and you
want him to be able to ask for help from his coworkers so that they can walk him
through steps to resolve any issues that arise. How would you have the new server
configured so that this new administrator can request Remote Assistance?
A. Check the Remote Assistance box on the Remote tab in System Properties, and
enable remote control in the Remote Assistance Settings dialog box.
B. Check the Remote Desktop box on the Remote tab in System Properties.
C. Check the Remote Assistance box on the Remote tab in System Properties, and
add him as a Remote User in the Add New Users window.
D. Enable Remote Assistance through Local Remote Assistance Group Policy.
2. You just recently finished configuring the properties for Solicited Remote Assistance
in Remote Assistance Group Policy, and you start receiving complaints that certain
experts outside the organization cannot respond to the invitations that are embedded
in the body of e-mail messages.You verify that the correct ports on the firewall are
open and that the property for the format of e-mail invitations is set to Mailto.What
could be the problem?
A. The experts do not have the Remote Assistance client installed.
B. The experts’ e-mail client cannot read HTML-formatted messages.
C. The Remote Assistance timeout period is too short.
D. The experts do not have the correct password.
3. You want to restrict who can offer remote assistance to immediate members of the
server support team in your IT organization.You decide that creating a group is the
most efficient way to manage this function.What kind of group is required, and
where do you create it?
A. Create a Local group on each server that could request remote assistance, and add
the group to the Local Administrators group.
B. Create a Domain group and add it to the Local Administrators group on each
server that could request remote assistance.
C. Create a Universal group and add it to the Offer Remote Assistance Group
Policy.

D. Create a Domain group and add it to the Offer Remote Assistance Group Policy.
www.syngress.com
642 Chapter 10 • Remote Management
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
272_70-296_10.qxd 9/29/03 12:19 PM Page 642
4. You have given the ability to offer unsolicited Remote Assistance to members of the
server support team. However, they find that they can connect but not take control of
the servers they are supposed to manage.What is the most efficient way of enabling
the server support team members to take control of the servers they manage through
unsolicited Remote Assistance while controlling the amount of access they have?
A. Add the members of the server support team to the Domain Administrators
group, and add the Domain Administrators group to the Local Administrators
group on each server that could request Remote Assistance.
B. Add the Domain group for the server support team members to the Local
Administrators group on each server that could request Remote Assistance.
C. Add the Domain account for each member of the server support team to the
Local Administrators group on each server that could request Remote Assistance.
D. Create Local accounts for each member of the server support team and add them
to the Local Administrators group on each server that could request Remote
Assistance.
5. You work for a consulting firm that has just installed Windows Server 2003.While at
your office, you receive a Remote Assistance invitation to resolve a hardware issue
from your client.You connect to the remote server without any problems; however,
during the Remote Assistance session, your attempt to send a file with an updated
driver is unsuccessful.What is the most probable cause for the lack of success?
A. The client is refusing to accept the file.
B. The required ports on one or both firewalls are closed.

C. The client has insufficient rights to accept the file.
D. Windows Messenger is not installed on the remote server.
6. The corporate service desk is overloaded, and management wants to leverage technical
knowledge that exists throughout the organization. However, due to concerns over
the security of corporate data, managers are wary of providing access to the organiza-
tion’s desktop and laptop systems to individuals outside the organization.They are also
wary of allowing individuals who do not possess the required knowledge to provide
“help.”What strategy would you recommend to satisfy management’s requirements
with the least amount of effort? (Choose all that apply.)
A. Block Remote Assistance at the firewall.
B. Enable Remote Assistance in domain Group Policy and restrict it to members of
the IT group.
C. Enable Remote Assistance in System Properties on every desktop and laptop, and
add the appropriate users.
D. Enable Remote Assistance in local Group Policy on every desktop and laptop.
www.syngress.com
Remote Management • Chapter 10 643
272_70-296_10.qxd 9/29/03 12:19 PM Page 643
7. You receive your first Remote Assistance invitation from a colleague who works in a
highly secure unit within your organization, and you immediately respond. Every time
you try to connect, however, your connection attempt is refused.You are on the same
subnet and can ping to verify that you can “see” the remote server.There is no
Domain Remote Assistance Group Policy; therefore, you verify the settings in your
Local Remote Assistance Group Policy. Everything looks normal to you.You notice
that Client Connection Encryption Levels is set to Client Compatible.What do you
suspect is happening?
A. Port 3389 is closed on the firewall.
B. The client is refusing your request to take control of the remote server.
C. The Client Connection Encryption Level is set to High Level.
D. The Client Connection Encryption Level is set to Low Level.

8. A network administrator is experiencing difficulty with one of his Windows Server
2003 servers and sends a Remote Assistance invitation via Windows Messenger to a col-
league who works in another office.The colleague accepts the invitation and attempts to
connect to the remote system, but he is unsuccessful.All offices are interconnected using
VPN connections over the Internet, and each office’s private network is protected by its
own firewall that is not running NAT.What should be done to enable the Remote
Assistance session? (Choose all that apply.)
A. Have the firewall administrators in each office open the TCP/IP ports for Windows
Messenger on their firewalls.
B. Have the firewall administrators in each office open the TCP/IP ports used by
Remote Desktop on their firewalls.
C. Instruct the network administrator to enable Remote Assistance in the Terminal
Services section of the local Group Policy Object Editor.
D. The network administrator should create a Remote Assistance invitation file, attach
it to an electronic mail message, and send it to his colleague.
9. You are experiencing a series of problems with a particular server that you manage
remotely, and the hardware vendor is asking you for the system configuration.You know
you can display the data on screen using msinfo32.exe, but the vendor is requesting a
paper copy.What is the best way to print the information?
A. Save the information from msinfo32.exe as a text file and copy it to your worksta-
tion to print it on your default printer.
B. Configure printer redirection in Remote Desktop Connection, reconnect to the
server, and print the output of msinfo32.exe to your default printer.
C. Have msinfo32.exe print to the server’s default printer.
D. Display the output of msinfo32.exe in a Remote Desktop for Administration
window and capture the window to your default printer.
www.syngress.com
644 Chapter 10 • Remote Management
272_70-296_10.qxd 9/29/03 12:19 PM Page 644
10. You decide to start using Remote Desktop for Administration to manage the servers

for which you have direct responsibility. Because you expect to have several Remote
Desktop Connection windows open, you configure Audio Redirection in your
Remote Desktop Connection client to “Bring to this computer.”This seems to be
working well because you notice that sound is being directed to your workstation for
all your servers except one.The sound system on your workstation is fully operational.
What are the possible reasons that audio features are not being redirected from this
one server? (Choose all that apply.)
A. The server does not have a sound system or the sound system is disabled.
B. The “Allow audio redirection” setting in local Terminal Services Group Policy on
your workstation is set to Disabled.
C. The “Allow audio redirection” setting in local Terminal Services Group Policy on
the server is set to Disabled.
D. The “Allow audio redirection” setting in domain based Terminal Services Group
Policy is set to Disabled.
11. You take responsibility for a mission-critical server that absolutely has to be available
on a 24/7 basis. As a result, you are issued a laptop computer so that you can manage
the server whenever the need arises.You decide to use Remote Desktop for
Administration to connect remotely to the server. At the office you can use the LAN,
but at home only a dialup connection is available. How should you configure Remote
Desktop Connection on your laptop to work efficiently from both locations? (Choose
all that apply.)
A. Before you attempt a Remote Desktop for Administration session, click the
Experience tab and select LAN (10Mbps or higher) when connecting at the
office or Modem (28.8Kbps) when connecting from home.
B. Before you attempt a Remote Desktop for Administration session, click the
Experience tab and select Custom and check the appropriate boxes depending
on your location.
C. Click the Experience tab, select Custom from the drop-down box, check the
appropriate boxes for your location, and save the settings with a unique name on
the General tab for future use.

D. Use the default setting for Remote Desktop Connection—Modem (56Kbps)—
for all connections.
www.syngress.com
Remote Management • Chapter 10 645
272_70-296_10.qxd 9/29/03 12:19 PM Page 645
12. You find that you consistently keep several Remote Desktop Connection sessions
open during the course of your workday.You are beginning to get a little frustrated
when you issue Windows keystroke combinations, expecting them to execute on your
desktop but they end up executing on a remote server, or vice versa.What can you do
to ensure that when you issue Windows keystroke combinations, they execute where
you expect them to?
A. Configure Apply Windows key combinations in Remote Desktop Connection to
On the local computer.
B. Configure Apply Windows key combinations in Remote Desktop Connection to
In full screen mode only.
C. Configure Apply Windows key combinations in Remote Desktop Connection to
On the remote computer.
D. Disable keyboard redirection in Local Terminal Services Group Policy on the
remote servers that you manage.
13. Your organization has implemented VPN technology in support of the IT depart-
ment’s new on-call policy for network administrators. As part of this policy, network
administrators have the ability to connect to and manage corporate servers using their
own ISPs.You find that the performance of Remote Desktop for Administration con-
nections degrades in the early evening when utilization of your cable ISP’s services are
at their highest.What can you do improve the performance of Remote Desktop for
Administration on those rare occasions when you need to manage a server during
your ISP’s busy times?
A. Select Broadband (128Kbps–1.5Mbps) on the Experience tab in Remote
Desktop Connection.
B. Select Custom on the Experience tab in Remote Desktop Connection and

accept the items that are checked by default.
C. Select LAN (10Mbps or higher) on the Experience tab in Remote Desktop
Connection.
D. Select Custom on the Experience tab in Remote Desktop Connection and
clear all check boxes.
www.syngress.com
646 Chapter 10 • Remote Management
272_70-296_10.qxd 9/29/03 12:19 PM Page 646
14. You have been asked to take primary responsibility for a server that is used to perform
systems management and track software licensing for your organization’s entire net-
work. Due to the number of servers to which you need to connect, you need an effi-
cient way to store the different connection configurations to the various servers. For
some servers you need direct access to the server console; for others you need a
workspace to enter data or generate reports. How can you manage remote access to
each server for different levels of access?
A. Install the Remote Desktop snap-in on the server and create connections for
every server which you need to access remotely, configuring some connections to
connect to the console and others to connect to individual sessions.
B. Install the Remote Desktops snap-in on the workstation you will use to connect
to the servers, configuring some connections to connect to the console and others
to connect to individual sessions.
C. Edit the Local Terminal Services Group Policy on the workstation you will use to
connect to the servers, configuring some connections to connect to the console
and others to connect to individual sessions.
D. On the workstation you will use to connect to the servers, create a connection
profile for each server, and save the profiles as .RDP files in your home directory.
www.syngress.com
Remote Management • Chapter 10 647
272_70-296_10.qxd 9/29/03 12:19 PM Page 647
www.syngress.com

648 Chapter 10 • Remote Management
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. A
2. B
3. D
4. B
5. B
6. A, B
7. C
8. B
9. B
10. A, C
11. C ,D
12. B
13. B
14. A
272_70-296_10.qxd 9/29/03 12:19 PM Page 648
649
Disaster Recovery
Planning and Prevention
Exam Objectives in this Chapter:
3.1 Plan services for high availability
3.1.1 Plan a high availability solution that uses clustering service
3.1.2 Plan a high availability solution that uses Network Load
Balancing
3.2 Plan a backup and recovery strategy
3.2.1 Identify appropriate backup types. Methods include full,
incremental, and differential.

3.2.2 Plan a backup strategy that uses volume shadow copy.
3.2.3 Plan system recovery that uses Automated System Recovery
(ASR).
Chapter 11
MCSA/MCSE 70-296
 Summary of Exam Objectives
 Exam Objectives Fast Track
 Exam Objectives Frequently Asked Questions
 Self Test
 Self Test Quick Answer Key
272_70-296_11.qxd 9/29/03 12:22 PM Page 649
Introduction
Our final topic for discussion is disaster recovery.We could dedicate an entire book to this
topic simply because it is an issue that can make or break your company. Having a disaster
recovery plan in place is crucial to an organization’s livelihood. Many companies have felt
the pain of being unprepared for a major catastrophe. For example, let’s say that one of your
critical database servers suffers a major hardware catastrophe. All your company’s customer
records and order information are stored on this system. If you do not have a backup of the
information stored on this server, how do you plan to fulfill your customer’s orders and bill
them for your products if your server is destroyed?
While certain aspects of disaster recovery are beyond the scope of this book, one area
that you must be familiar with for the 70-296 exam is backup and recovery.You need to
understand the types of backup strategies that are available in Windows Server 2003, how to
develop a plan for backing up your data, and the security concerns associated with doing
so. Aside from backup and recovery, you also need to know some of the additional tools
that Microsoft provides to aid you with disaster recovery issues, such as Automated System
Recovery and the Recovery Console.
In this chapter, you will learn about these topics as well as the various types of clus-
tering services available in Windows Server 2003 to help reduce the impact of a disaster.
Microsoft offers tools such as Network Load Balancing and Server Clustering in Windows

Server 2003 to give you another degree of fault tolerance in your networking environment.
By the time you reach the end of this chapter, you will be able to plan, configure, and
implement these clustering services within your environment. Let’s begin this chapter with
a discussion of the general concepts of disaster recovery.
Understanding Disaster Recovery
Disaster recovery could be described as the Rodney Dangerfield of IT—it gets no respect.
The irony here is that disaster recovery can be your best friend if you give it the attention
that it requires.Too many times we’ve seen environments in which IT staff diligently swap
tapes on a daily basis while otherwise ignoring their disaster recovery plans—assuming they
have even developed them. As a networking professional, you should make it a priority to
stay diligent in all aspects of disaster recovery.
Perhaps the most common reason that IT professionals do not pay attention to all
aspects of disaster recovery is lack of understanding.This section covers two specific areas
relating to disaster recovery. First, we discuss planning for disaster recovery and the funda-
mentals of disaster recovery, as well as the steps you need to consider when planning a dis-
aster recovery strategy.Then we discuss some of the ways that Microsoft assists you in the
recovery of your Windows Server 2003 environment. Let’s begin with a discussion of disas-
ters and define the types of disaster.
www.syngress.com
650 Chapter 11 • Disaster Recovery Planning and Prevention
EXAM
70-296
OBJECTIVE
3.2.3
272_70-296_11.qxd 9/29/03 12:22 PM Page 650
www.syngress.com
Planning for Disaster Recovery
If you follow current events, the widespread effects of any disaster will become clear to you
rather quickly. Equipment, data, and personnel can be destroyed and staggering amounts of
money lost by individual businesses, the economic after-effects of which can be felt inter-

nationally on a regular basis. Some companies can tolerate a certain amount of downtime,
but some never recover and find themselves out of business. A disaster recovery plan identi-
fies potential threats against your network, including terrorism, fire, and flood, in order to
provide employees guidance on how to deal with such events when they occur.
Disasters can also result from the actions of people. Such disasters can occur as a result
of employees accidentally or maliciously deleting data, system intrusions by hackers, viruses
and malicious programs that damage data, and other events that cause downtime or damage.
As with environmental disasters, a disaster recovery plan can be used to prepare and deal
with such “human catastrophes.”
Preparation for disaster recovery begins long before a disaster actually occurs. Data
backups must be performed daily to ensure that data can be recovered, plans need to be
created that outline the tasks that need to be performed and by whom, and other issues
need to be addressed as well. Of course, we hope that such preparation will never be
needed, but it is vital that you put a strategy in place to deal with incidents that could arise.
The disaster recovery plan should identify as many potential threats as possible and include
easy-to-follow procedures. In greater detail, a plan should provide countermeasures that
address each threat effectively.
Disaster recovery plans are documents that are used to identify potential threats and out-
line the procedures necessary to deal with various types of threats.When creating a disaster
recovery plan, administrators should try to identify all the types of threats that could affect
their company. For example, a company in California would need to be concerned about
earthquakes, fire, flood, power failures, and other kinds of natural disaster but would need to
worry less about blizzards. Once the administrators have determined the disasters that their
company could face, they can create procedures to minimize the risk of such disasters.
Disasters are not limited to acts of nature but can be caused by electronic means. For
example, DoS attacks occur when large numbers of requests are sent to a server, which over-
loads the system and causes legitimate requests for service to be denied.When an e-com-
merce site experiences such an attack, the losses can be as significant as any natural disaster.
Risk analysis should be performed to determine the company resources that are at risk
when a disaster occurs.This analysis should include such elements of a system as:

■
Loss of data
■
Loss of software and hardware
■
Loss of personnel
Software can be backed up, but the cost of applications and OSs can make up a consid-
erable part of a company’s operating budget.Thus, copies of software and licenses should be
Disaster Recovery Planning and Prevention • Chapter 11 651
272_70-296_11.qxd 9/29/03 12:22 PM Page 651
kept offsite so that they can be located and implemented when systems need to be restored.
Configuration information should also be documented and kept offsite so that it can be
used to return the system to its previous state.
Additional hardware should also be available. Because hardware might not be easily
installed and configured, administrators might need to involve outside parties.You should
check any such vendor agreements to determine whether they provide onsite service
within hours or days, because waiting for outsourced workers can present a significant delay
in restoring a system.
A person working for a company could have distinct skill sets that can cause a major
loss if that person is unavailable. If a person is injured, dies, or leaves a company, the
employee’s knowledge and skills are also gone. Imagine a network administrator getting
injured in a fire with no one else fully understanding how to perform that job.This would
have a major impact on any recovery plans.Thus, it is important to have a secondary person
with comparable skills who can step in for important personnel, documentation on systems
architecture and other elements related to recovery, and clear procedures to follow to per-
form important tasks.
When considering the issue of personnel, administrators should designate members
who will be part of an incident response team to deal with disasters when they arise.
Members should have a firm understanding of their roles in the disaster recovery plan and
the tasks they need to perform to restore systems. A team leader should also be identified,

so a specific person is responsible for coordinating efforts.
Recovery methods discussed in the plan should focus on restoring the most business-
critical requirements first. For example, if a company depends on sales from an e-commerce
site, restoring this server would likely be a high priority.This would allow customers to
continue viewing and purchasing products while other systems are being restored.
Another important factor in creating a disaster recover plan is cost.When planning for
disaster recovery, you need to plan for alternate sites in the event of a disaster.There are
three common types of sites: hot sites, warm sites, and cold sites. A hot site has all the equip-
ment needed for a company to continue operation, including computer equipment, utili-
ties, telephone systems, and furniture. A cold site provides office space but does not have the
equipment and other features of the hot site. A warm site falls somewhere in the middle, not
providing as much “plug-and-play” functionality as a hot site but not quite as bare-bones as
a cold site. Hot, warm, and cold sites require additional cost such as rent, hardware that
might not be used until a disaster occurs (if one ever does), office supplies, and other ele-
ments that allow a business to run properly.This can present a dilemma; you do not want to
spend more money on preparation than it would cost to recover from a disaster, but you
also do not want to be overly frugal and not be able to restore systems in a timely manner.
Finding a balance between these two extremes is the key to creating a disaster recovery plan
that is affordable and effective.
www.syngress.com
652 Chapter 11 • Disaster Recovery Planning and Prevention
272_70-296_11.qxd 9/29/03 12:22 PM Page 652
Windows Disaster Recovery
As a Windows Server 2003 MCSE, you need to know the various methods of disaster
recovery that Microsoft provides.Aside from Windows backup and restore (which we talk
about in the next section), several other options are available in Windows Server 2003 that
can assist you in recovering a downed server.Three options that we discuss in this section are:
■
Startup options
■

Recovery Console
■
Automated System Recovery
Let’s start our discussion of Windows disaster recovery tools with a look at the
Windows startup options, a feature you’re probably familiar with from past versions of the
Windows operating system.
Startup Options
At some point, you will undoubtedly come across a server that is unable to start the
Windows Server 2003 operating system normally. A normal startup implies that the server
can perform a reboot and bring up all startup services and applications without user inter-
vention.When you encounter a system that cannot start up normally, you can choose to
start up in one of eight different modes:
■
Safe mode
■
Safe mode with networking support
■
Safe mode with command prompt
■
Enable boot logging
■
Enable VGA mode
■
Last known good configuration
■
Directory services restore mode
■
Debugging mode
Safe Mode
When you start a server in Safe mode,Windows defaults to the most basic settings for run-

ning a server, including the Microsoft mouse driver,VGA video display, and other system-spe-
cific drivers (such as SCSI controller drivers) that are needed to start Windows. Safe mode can
be used for a variety of reasons. For example, let’s say that you download and install a new
device driver for your video card. After installing the device driver, your screen resolution
changes or your machine freezes, making it impossible to view the screen. By rebooting into
Safe mode, you can change your video settings and remove the newly installed driver that is
causing the problem. Certainly, an improperly installed video driver might not be considered a
“disaster,” but you can see the need for Safe mode on your servers.
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 653
EXAM
70-296
OBJECTIVE
3.2.3
272_70-296_11.qxd 9/29/03 12:22 PM Page 653
Safe Mode with Networking Support
We can use Safe mode to recover from situations such as malfunctioning software or device
drivers, but what if we need access to resources on the network in order to recover the
system? You can use Safe mode with networking.This startup mode allows to access resources
on your network as well as the Internet. Safe mode with networking offers the same func-
tionality of Safe mode plus additional drivers needed to support network connectivity.
Safe Mode with Command Prompt
Safe mode with command prompt starts using basic files and drivers, but unlike the other
two Safe mode variants, it displays a command prompt instead of the Windows desktop
after you’ve logged onto the system. Safe mode with command prompt might be used in
situations in which you need to perform command-level functions that Windows will not
let you use in the GUI environment. For example, you might need to replace a system file
that would be protected by the operating system in Safe mode or Safe mode with net-
working support. In another example, if a file is locked for exclusive use when the
Windows GUI is present, you can manipulate this file using the command-level functions.

EXAM WARNING
Make sure you know how the three types of Safe mode differ from one another:
■
Safe mode Defaults to the most basic settings for running a server,
including the Microsoft mouse driver, VGA video display, and other
system-specific drivers.
■
Safe mode with networking support Defaults to the most basic set-
tings for running a server, including the Microsoft mouse driver, VGA
video display, and other system-specific drivers, but also adds net-
working capabilities.
■
Safe mode with command prompt Defaults to a command prompt
to allow you to use command-level functions that Windows will not
let you use in the GUI environment.
Enable Boot Logging
When you choose to enable boot logging,Windows logs all drivers and services that were
loaded (or failed to load) during startup in a file called ntbtlog.txt, which is located in the
%systemroot% directory. Boot logging is helpful when you’re not exactly sure what is causing
your server problems.You can see a sample ntbtlog.txt file in Figure 11.1; take special note of
the lines in bold text that indicate drivers that failed to load during system startup.
www.syngress.com
654 Chapter 11 • Disaster Recovery Planning and Prevention
272_70-296_11.qxd 9/29/03 12:22 PM Page 654
Figure 11.1 A Sample ntbtlog.txt File
Microsoft (R) Windows (R) Version 5.2 (Build 3790)
5 18 2003 20:48:05.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver intelide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver volsnap.sys
Loaded driver PartMgr.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver Dfs.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver agp440.sys
Loaded driver crcdisk.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\wlbs.sys
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 655
Continued
272_70-296_11.qxd 9/29/03 12:22 PM Page 655
Figure 11.1 A Sample ntbtlog.txt File
Loaded driver \SystemRoot\system32\DRIVERS\atimpae.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys
Loaded driver \SystemRoot\system32\DRIVERS\el90xbc5.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
www.syngress.com
656 Chapter 11 • Disaster Recovery Planning and Prevention
Continued
272_70-296_11.qxd 9/29/03 12:22 PM Page 656
Figure 11.1 A Sample ntbtlog.txt File
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Did not load driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\parvdm.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
T
EST DAY TIP
For the exam, remember that the ntbtlog.txt file is stored in the %systemroot%
directory. Read the question carefully, because the answer choices might include
different %systemroot% directories than the Windows default.
Enable VGA Mode
The difference between Safe mode and Enable VGA mode is that Enable VGA mode starts
the computer using the currently installed video driver at the lowest possible resolution
instead of the Microsoft VGA driver.You could use VGA mode when you require the addi-
tional functionality of your video card. For example, if you needed a higher resolution than
the regular Safe mode provides, you could boot into VGA mode instead.
Last Known Good Configuration
This is an option that is probably very familiar to you if you’ve worked with Windows NT
and Windows 2000.The last known good configuration starts by using Registry informa-
tion that was saved during the previous logon. Rather than using Safe mode to remove a
faulty driver that was installed, you can restart using the last known good configuration,
which stores information about the drivers that were installed previous to the faulty config-
uration.The only downside to using the last known good configuration option is that any
changes made after the previous logon, not just the faulty configuration, will be lost.
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 657
272_70-296_11.qxd 9/29/03 12:22 PM Page 657
Directory Services Restore Mode
Directory services restore mode is an option that is only available on domain controllers
and is used in restoring the SYSVOL directory and Active Directory. Directory services
restore mode was covered in depth in Chapter 3,“Managing and Maintaining and Active
Directory Infrastructure.”
Debugging Mode
Debugging mode is one of those options that you might use only infrequently, but you

should still be aware of it should the need arise.When you boot a server in Debugging
mode, debugging information is sent to another computer using a device known as a null
modem. A null modem is a serial cable that connects two computers and simulates a con-
nection similar to that of a standard analog modem.You might use Debugging mode when
you’re working with a Microsoft technical support representative to troubleshoot a server.
The debugging information can be captured by the other computer and sent to Microsoft
for analysis.
Recovery Console
In some situations, you might not be able to boot your server into any of the startup modes
we’ve just discussed. If this situation arises, all is not lost. Using the Windows Recovery
Console, you have the ability to read and write data on a local drive, enable and disable
system services, format drives, and perform other types of tasks.
Recognizing the potential for the Recovery Console to be exploited if a malicious user
gained access to a server console, Microsoft developers made sure to keep security in mind
they designed this function.When you start a Recovery Console session, you are required
to provide the password for the administrator account. On a domain controller, this will be
the username and password for the domain user account. For standalone servers, the admin-
istrator account is the local administrator account.The Recovery Console interface looks
like a standard command-line interface but also provides you a help file for the commands
that are available in the Recovery Console.
TEST DAY TIP
If you get a question about the Recovery Console on your exam, read it carefully. If
you are asked about logging into the Recovery Console, check to see if the ques-
tion mentions that the server is a domain controller or a standalone server. This
information will determine which administrator account to use.
www.syngress.com
658 Chapter 11 • Disaster Recovery Planning and Prevention
272_70-296_11.qxd 9/29/03 12:22 PM Page 658
E
XERCISE 11.01

STARTING THE RECOVERY CONSOLE
In this exercise, we restart a Windows Server 2003 computer using the
Recovery Console. Start this process by inserting the Windows Server 2003 CD
into your CD-ROM drive. In addition, ensure that your server is set to boot
from the CD-ROM as the primary device.
1. Reboot your computer.
2. During the boot process, you may be prompted to press a key to boot
to the CD. Press any key.
3. Windows begins running through the Windows Server 2003 installation
process, then prompts you to make a decision on how to proceed.
4. Press R to select “Repair a Windows installation using Recovery
Console.”
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 659
The Recovery Console in Real Life
I have only found the need to use the Recovery Console twice in my time as a net-
working professional. However, on both occasions it saved me from hours of trou-
bleshooting and system recovery. On the first occasion, I was attempting to remove
an application from a Windows 2000 server. The application failed to uninstall
properly and left several files behind on the server. This might not have seemed like
a big issue, but we were uninstalling the application to install a newer version.
Unfortunately, the newer version was not configured to overwrite the older appli-
cation and required the older application to be completely removed. When I tried
to manually delete the files, I received a sharing violation error message on the files.
Even in Safe mode, I was unable to remove the files due to this error. Rather than
reinstalling the OS or spending hours on the phone with the application devel-
oper’s technical support staff, I booted the server into Recovery Console and was
able to change to the directory where the files were stored and remove them.
The second occasion was a little bit scarier. One of the Oracle servers at my
company failed to start properly, claiming that the OS could not be found.

Obviously, in this situation Safe mode was not an option. By booting into the
Recovery Console, I was able to determine that the boot.ini file had become cor-
rupted and was causing the server to fail on boot. I manually recreated the boot.ini
file on another computer and copied it onto the downed server via a diskette. After
replacing the boot.ini file, the server started normally on the next reboot.
New & Noteworthy…
272_70-296_11.qxd 9/29/03 12:22 PM Page 659
5. The installation process terminates and begins launching the Recovery
Console.
6. You will be prompted to select a Windows installation. In our example,
choose option 1, C:\WINDOWS.
7. Next you may need to enter the administrator password for this com-
puter. If this is not required, press Enter to continue.
8. Once you have entered the correct password, you will receive a DOS
prompt. From here, you can navigate various directories on the drive,
or you can pull up a list of Recovery Console commands by typing
HELP. You can also find out more information about a particular com-
mand by typing HELP <command>, where <command> is the name
of a particular Recovery Console command.
Automated System Recovery
In terms of Windows disaster recovery options, use Automated System Recovery (ASR)
only as a last resort. ASR can be used to back up the system state data, system services, and
all other files associated with the operating system. Along with the information itself, ASR
creates a “road map” to the data on a diskette, which contains information about the ASR
backup, the logical disk configurations, and how to perform an ASR restore.When you ini-
tiate an ASR restore, the system reads the information on the diskette and restores all the
disk signatures, volumes, and partitions on the disks that are needed to start Windows. Once
the disk information is restored,ASR installs a stripped-down installation of Windows and
automatically starts to restore from backup using the backup ASR information. ASR should
be used as a last resort only, because its purpose is to essentially rebuild from scratch previ-

ously stored information about the server. By using ASR, you will lose any user data that is
stored on the system drive unless it has been backed up through other methods. Although
ASR is a great tool and a nice addition to Windows Server 2003, you should exhaust all
other recovery methods prior to using it.
EXERCISE 11.02
CREATING AN ASR BACKUP
In Exercise 11.02, we create an ASR backup to diskette. This diskette backs up
all our critical system data in case we need to completely restore the system
information:
1. Click Start | All Programs | Accessories | System Tools | Backup.
www.syngress.com
660 Chapter 11 • Disaster Recovery Planning and Prevention
EXAM
70-296
OBJECTIVE
3.2.3
272_70-296_11.qxd 9/29/03 12:22 PM Page 660
2. When the Backup or Restore Wizard (see Figure 11.2) opens, click
Advanced Mode.
3. Select Automated System Recovery Wizard from the Backup Utility
window (see Figure 11.3).
4. When the Automated System Recovery Preparation Wizard starts, click
Next to continue.
5. Select a backup location for your ASR files (see Figure 11.4). Here we
use a mapped drive from another server to store the actual files.
However, we also need a diskette to store the actual system settings
that would be read during the recovery process. Make sure you have a
diskette in the disk drive.
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 661

Figure 11.2 The Backup or Restore Wizard
Figure 11.3 Backup Utility
272_70-296_11.qxd 9/29/03 12:22 PM Page 661
6. Once the ASR preparation process is complete (see Figure 11.5), click
Finish to begin backing up your system files. Depending on the
amount of data, you might be asked to insert several disks.
7. The files will begin copying to your diskette(s), as shown in Figure 11.6.
www.syngress.com
662 Chapter 11 • Disaster Recovery Planning and Prevention
Figure 11.4 Selecting a Backup Location
Figure 11.5 Completing the ASR Preparation
272_70-296_11.qxd 9/29/03 12:22 PM Page 662
8. You will be prompted to insert a blank diskette into your drive; the
system then copies the system settings and backup media information
to the diskette. This completes the ASR backup process.
EXAM WARNING
ASR is not a full-system recovery option. In other words, it can be used to restore
the Windows OS and all vital OS information, but it does not back up any data
files. If you are presented with a question about ASR on your exam relating to the
restoration of user data, remember that ASR cannot perform this function.
Backup and Recovery
Data backup and recovery is the one area of disaster recovery with which networking pro-
fessionals are most familiar. Everyone knows that they must back up their servers (and in
some cases, workstations) to removable media in case anything should ever happen to their
hardware. However, changing tapes on a regular basis is not enough; there are several other
factors that you should consider in case such a disaster does occur.As a Microsoft net-
working professional, you will want to establish a backup and recovery plan for your
Windows Server 2003 servers.
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 663

Figure 11.6 Copying the ASR Files to Diskette
OBJECTIVE
3.2
3.2.1
3.2.2
EXAM
70-296
272_70-296_11.qxd 9/29/03 12:22 PM Page 663
Establishing a Plan
After deciding what data will be backed up, the two most important decisions you must
make in terms of backup and recovery are how you will back up your data and where you
will store it.When establishing a backup and recovery plan, you want to consider tape rota-
tion and offsite storage.
Tape Rotation
It is important to keep at least one set of backup tapes offsite so that all tapes are not kept
in a single location. If backup tapes were kept in the same location as the servers that were
backed up, all the data (on the server and the backup tapes) could be destroyed in a disaster.
By rotating backups between different sets of tapes, data is not always being backed up to
the same tapes, and a previous set is always available in another location.
A popular rotation scheme is the grandfather-father-son (GFS) rotation, which orga-
nizes rotation into a daily, weekly, and monthly set of tapes.With a GFS backup schedule, at
least one full backup is performed per week, with Differential or Incremental backups per-
formed on other days of the week. At the end of the week, the daily and weekly backups
are stored offsite and another set is used through the next week.To better understand this
concept, assume a company is open Monday through Friday. As shown in Table 11.1, a full
backup of the server’s volume is performed every Monday, with Differential backups per-
formed Tuesday through Friday. On Friday, the tapes are moved to another location, and
another set of tapes is used for the following week.
E
XAM WARNING

Since GFS is such a popular rotation scheme, expect this term to come up some-
where on the exam.
Table 11.1 Sample Weekly Backup Schedule
Sun. Mon. Tues. Wed. Thurs. Fri. Sat.
None Full backup Differential Differential Differential Differential None
backup backup backup backup, with
week’s tapes
moved offsite
NOTE
We discuss Full, Differential, and other types of backups in our discussion of
backup strategies.
www.syngress.com
664 Chapter 11 • Disaster Recovery Planning and Prevention
272_70-296_11.qxd 9/29/03 12:22 PM Page 664
Because it is too expensive to continually use new tapes, old tapes are often reused for
backups. A tape set for each week in a month is rotated back into service and reused. For
example, at the beginning of each month, the tape set for the first week of the previous
month is rotated back into service and used for that week’s backup jobs. Because one set of
tapes is used for each week of the month, most sets of tapes are kept offsite. Even if one set
was corrupted, the set of tapes for the previous week could still be used to restore data.
In the GFS rotation scheme, the full backup is considered the “father,” and the daily
backup is considered the “son.”The “grandfather” segment of the GFS rotation is an addi-
tional full backup that is performed monthly and stored offsite.The grandfather tape is not
reused but is permanently stored offsite. Each grandfather tape can be kept for a specific
amount of time (such as a year) so that data can be restored from previous backups, even
after the father and son tapes have been rotated back into service. If someone needs data
restored from several months ago, the grandfather tape enables a network administrator to
retrieve the required files.
A backup is only as good as its ability to be restored.Too often, backup jobs are rou-
tinely performed, but the network administrator never knows whether the backup is per-

formed properly until the data needs to be restored.To ensure that data is being backed up
properly and can be restored correctly, administrators should perform test restores of data to
the server.This testing can be as simple as attempting to restore a directory or small group
of files from the backup tape to another location on the server.
Offsite Storage
Once backups have been performed, administrators should not keep all the backup tapes in
the same location as the machines they have backed up.After all, a major reason for per-
forming backups is to have the backed-up data available in case of a disaster. If a fire or
flood occurred and destroyed the server room, any backup tapes in that room would also be
destroyed.This would make it pointless to have gone through the work of backing up data.
To protect data, the administrator should store the backups in a different location so that
they will be safe until they are needed.
Offsite storage can be achieved in a number of ways. If a company has multiple buildings
in different cities, for example, the backups from City A can be stored in a building in City B,
and vice versa If this is not possible, there are firms that provide offsite storage facilities.The
key is to keep the backups away from the physical location of the original data.
When deciding on an offsite storage facility, administrators should ensure that the facility
is secure and has the environmental conditions necessary to keep the backups safe.They
should also ensure that the site has air conditioning and heating, because temperature changes
may affect the integrity of data.The facility should also be protected from moisture and
flooding and have adequate fire protection.The backups need to be locked up, and policies
must be in place that detail who is authorized to pick up the data when it’s needed.
www.syngress.com
Disaster Recovery Planning and Prevention • Chapter 11 665
272_70-296_11.qxd 9/29/03 12:22 PM Page 665
Backup Strategies
Backing up data is a fundamental part of any disaster recovery plan.When data is backed
up, it is copied to a type of media that can be stored in a separate location.The type of
media will vary depending on the amount of data being copied, but can include digital
audio tape (DAT), digital linear tape (DLT), compact disks, both recordable and rewritable

(CD-R/CD-RW), or diskettes. If data is unintentionally destroyed, it can be restored to its
original state from the media.
When making backups, the administrator needs to decide what data will be copied to
alternative media. Critical data such as trade secrets that a business relies on to function and
other important data crucial to a business’s needs must be backed up. Other data such as
temporary files and applications might not be backed up since it can easily be reinstalled or
missed in a backup. Such decisions, however, vary from company to company. Once the
administrator has decided what information needs to be backed up, he or she can deter-
mine the type of backup that will be performed. Common backup types include:
■
Full backup Backs up all data in a single backup job. Generally, this includes all
data, system files, and software on a system.When each file is backed up, the
archive bit is changed to indicate that the file has been backed up.
■
Incremental backup Backs up all specified data that was changed since the last
backup. Because only files that have changed are backed up, this type of backup
takes the least amount of time to perform.When each file is backed up, the
archive bit is changed to indicate that the file has been backed up.
■
Differential backup Backs up all specified data that has changed since the last
full backup.When this type of backup is performed, the archive bit is not
changed, so data on one Differential backup contains the same information as the
previous Differential backup plus any additional files that have changed.
■
Volume shadow copy A mirror image of a disk volume, including files that are
in an “open” state.This is a new feature in Windows Server 2003.
Because different types of backups copy data in different ways, the methods used to
back up data may vary between businesses or even from server to server. One company
might do Daily full backups, whereas another might use a combination of Full and
Incremental backups or Full and Differential backups.

Volume Shadow Copy
Let’s take a few moments to discuss how volume shadow copy works, then we will walk
through a couple of backup exercises. As we mentioned, volume shadow copy is the latest
addition to the built-in backup functionality of Windows Server 2003. Unlike other types
of backups, you can now back up files and volumes, including files that are open or in use
by another user or system process.This was not previously possible without third-party
backup software. Another advantage of volume shadow copy is that backups can be per-
www.syngress.com
666 Chapter 11 • Disaster Recovery Planning and Prevention
EXAM
70-296
OBJECTIVE
3.2.1
272_70-296_11.qxd 9/29/03 12:22 PM Page 666