MCSE 70-217 Study Guide

Abstract:

This Study Aid will help you focus your studies for the Microsoft 70-217 exam. This is a Core credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000 certification. Finishing this exam with a passing score will enable you for MCP status. As with any study guide, never make this your sole reference for study. Good Luck.

Audience Profile:

Candidates for this exam operate in medium to very large computing environments that use the Windows 2000 network operating system. They have a minimum of one year's experience implementing and administering network operating systems in environments that have the following characteristics:

• Supported users range from 200-26,000+

• Physical locations range from 5-150+

Typical network services and applications include file and print, database, messaging, proxy server or firewall, dial-in server, desktop management, and Web hosting. Connectivity needs include connecting individual offices and users at remote locations to the corporate network and connecting corporate networks to the Internet

Skills Being Measured

This certification exam measures your ability to install, configure, and troubleshoot the Windows 2000 Active Directory components, DNS for Active Directory, and Active Directory security solutions. In addition, this test measures the skills required to manage, monitor, and optimize the desktop environment by using Group Policy. Before taking the exam, you should be proficient in the job skills listed within this Study Guide.

Installing and Configuring Active Directory

• Install forests, trees, and domains

• Automate domain controller installation

• Create sites, subnets, site links, and connection objects

• Configure server objects. Considerations include site membership and global catalog designation

• Transfer operations master roles

• Verify and troubleshoot Active Directory installation

• Implement an organizational unit (OU) structure

Installing, Configuring, Managing, Monitoring, and Troubleshooting DNS for Active Directory

• Install and configure DNS for Active Directory

• Integrate Active Directory DNS zones with existing DNS infrastructure

• Configure zones for dynamic updates and secure dynamic updates

• Create and configure DNS records

• Manage, monitor, and troubleshoot DNS

Configuring, Managing, Monitoring, Optimizing, and Troubleshooting Change and Configuration Management

• Implement and troubleshoot Group Policy

• Create and modify a Group Policy object (GPO)

• Link to an existing GPO

• Delegate administrative control of Group Policy

• Configure Group Policy options

• Filter Group Policy settings by using security groups

• Modify Group Policy prioritization

• Manage and troubleshoot user environments by using Group Policy

• Install, configure, manage, and troubleshoot software by using Group Policy

• Manage network configuration by using Group Policy

• Configure Active Directory to support Remote Installation Services (RIS)

• Configure RIS options to support remote installations

• Configure RIS security

Managing, Monitoring, and Optimizing the Components of Active Directory

• Manage Active Directory objects

• Move Active Directory objects

• Publish resources in Active Directory

• Locate objects in Active Directory

• Create and manage objects manually or by using scripting

• Control access to Active Directory objects

• Delegate administrative control of objects in Active Directory

• Monitor, optimize, and troubleshoot Active Directory performance and replication

• Back up and restore Active Directory

• Perform an authoritative and a non-authoritative restore of Active Directory

• Recover from a system failure

• Seize operations master roles

Configuring, Managing, Monitoring, and Troubleshooting Security in a Directory Services Infrastructure

• Apply security policies by using Group Policy

• Create, analyze, and modify security configurations by using the Security Configuration and Analysis snap-in and the Security Templates snap-in

• Implement an audit policy

• Monitor and analyze security events

Introduction to Active Directory

• Windows 2000 Active Directory is an organized list of objects, called directory objects, that provides centralized management for scalable networks.
• Objects are organized in a hierarchical structure rather than physical location and can include:
  • Users
  • Groups
  • Computers
  • Shared resources
  • Security information
• Windows 2000 Active Directory is a distributed directory structure, whereby the information contained in the directory can be spread across multiple domain controllers.
• This provides fault tolerance as well as optimizing a single point of access for the end user.

• Windows 2000 Active Directory integrates the Internet namespace and NT directory services by supporting the Lightweight Directory Access Protocol (LDAP).

• LDAP is an Internet standard used to exchange information between applications and directories.
• Two Domain Modes, which are implemented at the domain-level and affect all domain controllers in the domain:

  • Mixed Mode: the default when you first install support for Active Directory services, which can support both Windows NT and Windows 2000 servers.

  • Native Mode: a one-way conversion to native mode is supported when the network includes only domain controllers running Windows 2000.  
• Active Directory key concepts:
  • Objects: Object classes such as users, groups, computers, services, printers, security policies, etc. are a collection of object attributes.
  • Schema: A database structure made up of attribute definitions and object definitions known as schema objects or metadata (data about data). Adding new attributes can extend a schema, however once an object is created it can be disabled but not deleted.
  • Global Catalog: includes all Active Directory objects (but not their attributes) in all of the domains. The global catalog is used to locate resources and objects in different domains.
  • Replication: automatic updates of active directory between servers.

Active Directory and Domain Names

• Naming of objects in Active Directory is a critical issue.
• Each Active Directory object must be uniquely identified.
• Domain Name System (DNS) is required for Active Directory.
• Object names must follow an established naming convention.

The following are common name formats:

• LDAP Distinguished Name (DN)
• LDAP Relative Distinguished Name (RDN)
• User Principal Name (UPN)

Domain Name System (DNS)

• Organized in a hierarchical structure known as the domain namespace.
• Individual computers are named by adding the computer name to the left of the domain name.
• Fully Qualified Domain Name (FQDN) identifies a name within the domain namespace 
   

Global Catalog

• A master directory of all objects in the forest and attributes of commonly used objects

• Automatically created on the first domain controller in a forest

• Other domain controllers can be configured to act as additional Global Catalog servers

Design examples

• Single Domain: One domain that is the first and only tree's root domain as well as the forest's root. OU's are used to build Active Directory and should be kept to a minimum.

• Tree with Multiple Domains: Used when implementing different security policies in remote offices, or limit administrative control between different locations.

• Forest with Multiple Trees: Each tree has its own unique namespace and are all part of the same Active Directory. Its root domain DNS name identifies each tree. The trees share a common schema, configuration information and Global Catalog

Active Directory Installation

• DNS Services will be installed during the installation of Active Directory.

• Active Directory will be installed on at least one domain controller. (Two or more for fault-tolerance)

• When installed on first domain controller any local user and group accounts will be promoted to Active Directory user and group accounts.

Domain Controller

• Critical to Active Directory services

• A copy of Active Directory is stored on every domain controller.

• Responsible for authenticating users, enforcing policies and finding Active Directory objects

• Changes to Active Directory can be made at any domain controller and replicated to others.

• Installed as member servers and promoted to domain controllers, unless upgraded from a Windows NT Server 4.0 PDC.

Server requirements for promoting a Windows 2000 server to a domain controller

• At least one NTFS 5 partition or volume

• Initial available disk space of 230 MB for Active Directory database (ntds.dit) and log files (edb.log) which will be placed in \%systemroot%\NTDS

• DNS server

Installation Methods and procedures

• Active Directory Installation Wizard

• Dcpromo.exe (found in \%systemroot%\system32)

• During installation a location needs to be designated for the SYSVOL folder (defaults to \%systemroot%\SYSVOL), which can only be placed on an NTFS 5 volume or partition. The SYSVOL folder contains the server's copy of the Active Directory's public files that will be replicated to all domain controllers.

• If no DNS server is found during installation one must be configured or installed at this time.

Post Installation

• Local users and groups, which were managed through the Computer Management tool, will be disabled.

• Active Directory components will be added to Administrative Tools

Adding Domain Controllers

• Fault tolerance in case of domain controller failure

• Performance Optimization to efficiently handle user logons

• Recommended that any remote location with five or more users have a separate domain controller.

Demoting a Domain Controller

• Launch Dcpromo to run wizard

Delegation of Administrative Control

• Decentralizes security management

• Delegation by OU lets you set up departmental administrators

• Delegation by Task (common or custom) limits the responsibility given to the "delegatee"

• Delegation of Control Wizard is launched through the Active Directory Users and Computers tool

• Delegated users or groups are added to the object's ACL

User Rights

• Assigned through Group Policies

• Domain Controllers have a default Group Policy Object (GPO) that is applied to each domain controller, whereas Local Policies andUser Rights assignments apply only to the computer where the policy is applied.

Replication

• Replication to all domain controllers occurs every 15 minutes by default but can be forced through Active Directory Sites and Services.

• When the domain controller is expanded under Sites\Default-First-Site-Name\Servers, select NTDS Settings. Right-click and select Replicate Now.

Publishing Shared Folders

• Active Directory Users and Computers tool allows for the publishing of shared folders or Distributed File System  (DFS) roots in the Active Directory

• When creating a shared folder the UNC must be specified in the Network path property field.

• Keywords can be associated with shared folders to allow users to easily locate shares in Active Directory

Group Policy

• Reduces Total Cost of Ownership (TCO)

• Implemented through Group Policy Objects (GPOs) and applied to User and Computer Configurations

• Three possible settings for policies include Not Configured, Enable and Disabled

Creating and Modifying Group Policies

• Group policy settings are refreshed throughout the network, on average every 90 minutes

• Domain Controllers refresh on average every 5 minutes

• Refresh interval for Domain Controllers can be modified through Group Policy settings

• When deleting a GPO any links are automatically dropped without warning

• Filtering GPO's allows Group Policies to be applied to individual users rather than all users and computers in an OU

GPO Tools

Gpotoole.exe Utility

• Used to check GPO's

• Used to view information about specific GPO's

• Checks GPO consistency

• Check GPO replication

Gpresult.exe Utility

• Used to determine if problem is related to group policies

• Analyzes group policies that are applied for the current user or computer

• Report displays which policy settings are applied for the user

Design Suggestions:

• Limit the number of users allowed to modify GPO's to a minimum

• Documentation

• Keep it as simple as possible

Active Directory Replication

• Changes made to Active Directory need to be propagated to all Domain Controllers

• Uses a multiple-master replication model whereby all domain controllers are equal

Intrasite Replication

• Automatic replication between domain controllers in the same site

• Uses Remote Procedure Calls (RPC) communication to control notification

  • Replication latency is the delay between when a change is made to one domain controller then replicated to other domain controllers.

  • Replication convergence occurs after replication has taken place, all domain controllers are up to date and no new changes are to be sent.

Server Roles

You REALLY need to follow these guidelines to not only implement a good Active Directory Design, but to make is functional as well. Make sure you know these roles inside and out.

Global Catalog Servers

• Global Catalog Servers are used during the logon process and to locate directory information

• If the Global Catalog is not available, users (excluding Domain Admins) will not be allowed to log on to the network, only to the local system

• When a user queries for information about an object the query is resolved by Global Catalog in the local domain rather than going out to each domain in the forest

• The first domain controller created in a forest is automatically a Global Catalog server

• To provide fault tolerance additional Global Catalog servers should be created and available

• Global Catalog servers can be added through Active Directory Sites and Services tool

Operations Masters                     

• Special roles assigned to domain controllers as single master roles.

• Single master role is not permitted to occur simultaneously at different locations on the network

• Five operations master roles are responsible for keeping track of and originating replication and are divided forestwide and domainwide:

Forestwide

Note: Both Schema and Domain naming should be the same domain controller

Schema master

• Only one schema master in forest (can have standbys)

• Controls schema updates and modifications

• Failure of the schema master can go unnoticed until a change is made to the schema

• If schema master role is seized permanently the server must not be brought back online without formatting it and reinstalling Windows 2000

Domain naming master

• Only one domain naming master in forest (can have standbys)

• Responsible for controlling the addition or removal of domains to the forest

• Failure of the domain naming master can go unnoticed until a domain is added or removed from the forest

• If domain naming master role is seized permanently the server must not be brought back online without formatting it and reinstalling Windows 2000

Domain wide

Relative ID master

• Each domain will have one relative ID master

• Responsible for management of relative ID's (object security)

• RID will be generated for each domain object that includes the domain security ID (same for all domain objects) and a unique relative ID

• Responsible for initiating the move when moving objects between domains

• Failure of the relative ID master can go unnoticed until an administrator attempts to create domain objects and the domain runs out of available relative identifiers.

• If relative ID master role is seized permanently the server must not be brought back online without formatting it and reinstalling Windows 2000

Primary Domain Controller PDC emulator

• Each domain will have only one PDC emulator

• Provides support for client systems other than Windows 2000

• Receives preferential replication of any password changes

• If logon authentication fails at any domain controller, the request is forwarded to the PDC emulator

• Acts as a Windows NT PDC providing updates to any Windows NT BDCs during a migration to Windows 2000 Active Directory

• Failure of PDC emulator can immediately affect network users.

• If PDC emulator role is seized permanently the server can be brought back online and returned to the PDC emulator role

Infrastructure master

• Each domain will have only one infrastructure master

• Updates group or user references when supporting group members from a different domain and group membership changes 

• If placed on a Global Catalog server infrastructure master will not be able to do its job properly because out-of-date data will not be detected, therefore replication will not occur

• Failure of the infrastructure master can go unnoticed unless a number of changes have been made.

• If infrastructure master is seized the server can be returned to the original infrastructure master when brought back online

Role Assignments

• First domain controller is assigned the forestwide and domainwide operations master roles

• As new domains are created the first domain controller in the domain will automatically be assigned the domainwide operations master roles

• When promoting servers to domain controllers the option of reassigning operations master roles to different domain controllers is available

• Reassigning forestwide operations master roles cannot be reassigned to domain controllers in different domains.

• Assignment depends on size and organization of domain

• If only one domain controller, it will be responsible for all other operations master roles

• If more than one domain controller, the relative ID master and PDC emulator master roles must be assigned to the same domain controller.

• Unless only one domain controller in domain, the infrastructure master role should not be assigned to a Global Catalog server

• Ntdsutil is an interactive utility that can be used to transfer or seize operations master roles

• Sites

• Set of domain controllers connected through a reliable high-speed connection

• A set of one or more IP Subnetwork addresses

• Controls how replication is managed, logon traffic and DFS topology

Active Directory Sites

• Domain controllers get added to Default-First-Site-Name object which is automatically created

• Intersite replication occurs between two or more sites over manually created links based on a replication schedule

• To minimize network traffic data is compressed to about 10-15% of its volume before intersite replication is transmitted

• Active Directory domains are defined by the network's logical structure

• Sites are based on the network's physical structure

• Sites can include:

  • All Active Directory domain controllers

  • Some of Active Directory domain controllers

  • Domain controllers from different Active Directory domains

Site Links

• When Active Directory is installed a default site link (DEFAULTIPSITELINK) is created

• The transport used for transferring data between sites:

  • Remote Procedure Call (RPC) over TCP/IP [seen as IP] – required for File Replication Services

  • Simple Mail Transfer Protocol (SMTP) – used for schema partition, configuration partition and Global Catalog replication. Does not support replication between domain controllers in the same domain.

• Cost value determines which site link to use when multiple paths are available

  • Lower the cost, higher the priority

  • Based on bandwidth and priority

  • Default cost is 100

• Scheduling controls when replication occurs

  • Set through the link schedule

  • Replicate every property determines how long a connection waits before checking for updates (15-10,080 minutes)

  • By default a link is always available

Preferred bridgehead server

• Preferred domain controller for receiving intersite replication information and updates other domain controllers

• The first choice for sending information to other sites

• A firewall proxy server is required to be a preferred bridgehead server

• Multiple bridgehead servers can be specified to add fault tolerance to the replication design

Site Link Bridges

• Site links are transitive by default, therefore site link bridges are not need in a fully routed IP network

• The transitive link feature can be disabled

• Site link bridges should model the network's physical routing

• A site link bridge is defined by two or more site links

• The cost of the site link bridge is cumulative of the cost of each link

Site Licensing

• License information is replicated to a centralized database located on the site's site license server

• The site license server will be the first domain controller created for a site