MCSE 70-219 Study Guide

When you pass this exam, you achieve Microsoft Certified Professional status. You also earn credit toward the following certifications:

Elective credit toward Microsoft Certified Systems Engineer on Microsoft Windows 2000 certification

According to Microsoft, 

"This certification exam measures your ability to analyze the business requirements and design a directory service architecture, including:

Unified directory services such as Active Directory™ and Windows NT® domains.

Connectivity between and within systems, system components, and applications.

Data replication such as directory replication and database replication.

In addition, the test measures the skills required to analyze the business requirements for desktop management and design a solution for desktop management that meets business requirements."

The scale of the Active Directory environment we are talking about in this exam are:

• Supported users range from 200-26,000+
• Physical locations range from 5-150+
• Typical network services and applications include file and print, database, messaging, proxy server or firewall, dial-in server, desktop management, and Web hosting.
• Connectivity needs include connecting individual offices and users at remote locations to the corporate network and connecting corporate networks to the Internet.

It is recommended that you first start by studying 70-215 and 70-217 to ensure that you are familiar with Windows 2000 Active Directory.

This exam is CASE STUDY BASED. You should download and try the Case Study-Based Test Demo available at http://download.microsoft.com/download/vb50pro/Update/2.0/W9X2K/EN-US/IIT_Demo.EXE  to become familiar with these new types of questions before taking the exam.

Your focus on this exam is on the Active Directory schema as well as the Active Directory service location arrangement.

Remember, the answers, form our point of view, could appear highly subjective. You need to choose the BEST answer that fits your case.

Basic Definitions

• n          What is a directory service?
  • a network service
  • identifies all resources on a network
  • makes the network resources accessible to users and applications
  • make the physical network topology and protocols transparent
  • user on a network can access any resource without knowing where or how it is physically connected.
  • LDAP is used primarily for e-mail addresses
  • almost all directory services are based on the X.500 ITU standard
• In a sense, Active Directory is a database!!!
• According to webopedia.com, schema is, "Pronounce skee-ma, the structure of a database system, described in a formal language supported by the database management system (DBMS). In a relational database, the schema defines the tables, the fields in each table, and the relationships between fields and tables. Schemas are generally stored in a data dictionary. Although a schema is defined in text database language, the term is often used to refer to a graphical depiction of the database structure." http://www.webopedia.com/TERM/s/schema.html

Active Directory and the Schema:

• Active Directory is the directory service used in Windows 2000 Server and is the foundation of Windows 2000 distributed networks.
• Active Directory schema is a list of definitions that identifies the kinds of objects, and the types of information about those objects, that can be stored in Active Directory.
• You can view, manage and extend the schema using the Active Directory Schema snap-in:
  • included on the Windows 2000 Server and Windows 2000 Advanced Server compact disc sets
  • enables administrators to manage a server remotely from any computer that is running Windows 2000
  • to open, run schmmgmt

Active Directory Schema MMC snap-in is not listed with the default MMC snap-ins. To make it appear, you must run Regsvr32 on the dynamic-link library (DLL) (Schmmgmt.dll) from the command prompt.

More about Schema:

• Schema enforces the rules that govern both the structure and the content of the directory.
• Schema consists of a set of classes, attributes, and syntaxes that represent an instance of one or more classes in the schema
• Class:
  • a category of objects that share a set of common characteristics
  • a formal description of a discrete, identifiable type of object that can be stored in the directory.
• Attribute
  • describes the characteristics of some aspect of an object
  • define the types of information that an object can hold.
  • for each class, the schema specifies the mandatory attributes and optional attributes that constitute the set of shared characteristics of the class.
  • values assigned to attributes define specific characteristics.
• Syntax
  • data type of a particular attribute
  • determine what data type an attribute can have
  • predefined syntaxes do not actually appear in the directory
  • cannot add new syntaxes

According to Microsoft Windows 2000 Resource Kit:

"Administrators and applications can extend the schema by adding new attributes and classes or by modifying existing ones. Schema definitions are required by applications that need to create or modify objects in Active Directory. Applications that are "directory-enabled" are programmed to recognize the attributes and syntaxes that are required to interact with the directory."

• Steps to enable schema modification
  1. Make sure you have the appropriate privileges:
     
     According to Microsoft Windows 2000 Resource Kit:
     
     "To modify the schema, you must use an account that is a member of the Schema Admins group. By default, the only member in that security group is the Administrator account in the root domain of the enterprise. If you want to add other accounts, you have to add them explicitly."
  2. Run the Active Directory Schema console
  3. Right-click Active Directory Schema (Manager), and select Operations Master.
  4. Check The Schema may be modified on this server check box
  • Note that the value of the The Schema may be modified on this server check box is stored in the registry in the Schema Update Allowed entry (in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters).
  • Do not use a registry editor to edit the registry directly unless you have no alternative. Editing the registry directly can have serious, unexpected consequences.
• Order of Processing when extending the schema:
  • you can do this programmatically or by using scripts

  • order:

  • 1.          Target your update at the FSMO Role Owner.
  • 2.          Ensure that you have sufficient administrative privileges to perform the schema update.
  • 3.          Create the registry entry that allows write access to the schema.
  • 4.          Check that the safety interlock is engaged before removing it.
  • 5.          Add your new attributes.
  • 6.          Add your new classes.
  • 7.          Add attributes to classes.
  • 8.          Each domain controller updates its schema cache five minutes after a schema change. If the extensions are going to be used within five minutes, trigger a cache reload.
  • If you had to create the safety interlock before you added your new classes or attributes, re-apply the safety interlock again after you add them.
  • If you are installing a schema extension by script or ADSI, make sure that the extension is provided as a separately installable routine.

For detailed information on how to extend the schema, refer to the following web link:

http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dsbe_ext_isbq.htm

Active Directory Schema Objects

• stored in Active Directory
• arranged in a logical hierarchy - Directory Information Tree (DIT)
• includes a preconfigured database – base DIT - that contains the information that is required to install and run Windows 2000 and Active Directory
• base DIT is installed during a fresh install of a Windows 2000 domain controller
• one section of the base DIT holds the base schema.
• schema objects are located in the Schema container

According to Microsoft Windows 2000 Resource Kit:

"The schema itself is represented in Active Directory by a set of objects known as "schema objects." For each class in the schema, there is a schema object that defines the class. This object is called a classSchema object. For each attribute in the schema, there is also a schema object that defines the attribute. This object is called an attributeSchema object. Therefore, every class is actually an instance of the classSchema class, and every attribute is an instance of the attributeSchema class. Storing the schema in the directory has many advantages. One example is that when user applications locate the schema in the directory, they can read the schema to discover what types of objects and properties are available."

Active Directory Class Schema objects VS Attribute Schema objects

According to Microsoft Windows 2000 Resource Kit:

"Each class definition specifies the following:

• Structure rules that determine the class's superclass or parent class
• The list of attributes that can be present in an instance of that class
• Which of the attributes are mandatory (Must Contain)
• Which of the attributes are optional (May Contain)

"

• Class Schema objects:
  • define a class - for each class in the schema there is a Class Schema object that specifies the class
  • two class Schema object constraints:
• Must Contain: list of mandatory attributes that must be defined for any object that is an instance of this class.
• May Contain: list of attributes that may be defined for any object that is an instance of the particular class.
• Attribute Schema objects:
  • define an attribute - for each attribute in the schema there is an Attribute Schema object that specifies the attribute and enforces constraints on objects that are instances of a class using this attribute
  • object that is an instance of a particular object class can have attributes that belong to either the Must Contain or the May Contain list defined for the class of which that object is an instance
  • list of attributes can be explicitly specified for that class
  • list of attributes can also be inherited from the parents of that class.
  • Attribute inheritance:
• all classes in the schema are ultimately derived from the special class Top.
• with the exception of Top, all classes are subclasses of some other class.
• inheritance enables you to build new classes from existing classes - the original class becomes a superclass or parent of the new class.
• a subclass inherits the attributes of the superclass
• a class can inherit attributes from more than one superclass.
• structure rules define the possible hierarchical relationships between objects
• possible attributes that instances of a particular class can have are defined by content rules
• inheritance is recursive - a subclass can inherit all of the attributes of all of its superclasses

Active Directory Schema Container

• a special purpose object class
• the topmost object of the schema directory partition.
• (cn=schema,cn=configuration,dc=< forest root domainName>)
• contains all of the class and attribute definitions that are required to locate objects in Active Directory and to create new objects

Active Directory DIT and partition

• DIT = Directory Information Tree
• divided into directory partitions
• directory partition is a tree of directory objects
• directory partition forms a unit of replication in Active Directory.

ADSI

• shorts for Active Directory Service Interfaces
• abstract the capabilities of different directory services from different network vendors
• present a single set of directory service interfaces for managing network resources you use ADSI to manage the resources in a directory service, regardless of which network environment contains the resource
• allows developers to access multiple directory service providers through an open set of interfaces
• The standard Active Directory Service Interfaces objects or providers enable communication between the server or client.
• ADSI 2.5 includes providers for:
  • Windows NT
  • LDAP version 2 or version 3 directory
  • Windows2000 Active Directory.
  • Novell NetWare Directory Services
  • NetWare 3 bindery
• ADSI can integrate with:
  • Exchange 5.5 
  • IIS 
  • Site Server 

Active Directory Name Resolution and Service Locator

• Most requests for directory objects are carried out either through the Active Directory Service Interfaces or through the LDAP API

• Active Directory Service Interfaces = ADSI
• ADSI is a LDAP provider
• every name resolution request is subject to the LDAP rules for locating objects. Active Directory processes LDAP requests for locally stored directory information
• If object does not exist, an error is returned that states that the object is not in the directory
• When an application requests access to Active Directory, an Active Directory server which is a domain controller is located by means of the domain controller locator
• Locator runs in the context of the Net Logon service and find domain controllers by using DNS names or NetBIOS names
• Platforms that rely on NetBIOS names are:
  • Microsoft® Windows® version 3.x
  • Microsoft® Windows® for Workgroups
  • Microsoft® Windows NT® version 3.5 or later
  • Microsoft® Windows® 95
  • Microsoft® Windows® 98

Seizing roles

Why do we need to seize roles? According to Microsoft Reskit,

"…. to determine the anticipated duration of the outage.

If the outage is expected to be brief, the recommended response is simply to wait for the role owner to become available before performing a role-related function.

If the outage is longer, the correct response might be to seize the operations master role from a domain controller. To seize a role is to move it without the cooperation of its current owner. It is best to avoid seizing roles."

In brief, the decision to seize an operations master role depends upon the role and the expected length of the outage.

To do this, you need to use the Ntdsutil tool. By default, Ntdsutil is installed in the Winnt\System32 folder.

According to http://www.microsoft.com/WINDOWSXP/home/using/productdoc/en/ntdsutil.asp:

"Ntdsutil.exe is a command-line tool that provides management facilities for Active Directory. Use Ntdsutil to perform database maintenance of Active Directory, manage and control single master operations, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled."

More information about this tool is available at: http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dsfl_utl_nzzw.htm

In fact, you may, as stated by Microsoft at http://www.microsoft.com/WINDOWS2000/techinfo/reskit/en/Distrib/dsfl_utl_jwut.htm, " …. automate Ntdsutil by creating batch files or scripts that contain a series of Ntdsutil commands. Many Ntdsutil commands that perform writes, open by default a message that asks users if they really want to perform a particular operation. When these messages appear, the program will pause and wait for keyboard input. Use the Popups %s command to disable these messages when running Ntdsutil from a batch file or script."

Seizing the infrastructure master role

1. Remove the current operations master from the network
2. Verify that the new operations master is up to date.
3. Click Start, click Run, and then type cmd.
4. At the command prompt, type ntdsutil.
5. At the ntdsutil prompt, type roles.
6. At the fsmo maintenance prompt, type connections.
7. At the server connections prompt, type connect to server, followed by the fully qualified domain name.
8. At the server connections prompt, type quit.
9. At the fsmo maintenance prompt, type seize infrastructure master.
10. At the fsmo maintenance prompt, type quit.
11. At the ntdsutil prompt, type quit.

Seizing the PDC emulator role

1. Remove the current operations master from the network
2. Verify that the new operations master is up to date.
3. Click Start, click Run, and then type cmd.
4. At the command prompt, type ntdsutil.
5. At the ntdsutil prompt, type roles.
6. At the fsmo maintenance prompt, type connections.
7. At the server connections prompt, type connect to server, followed by the fully qualified domain name.
8. At the server connections prompt, type quit.
9. At the fsmo maintenance prompt, type seize PDC.

10. At the fsmo maintenance prompt, type quit.

11. At the ntdsutil prompt, type quit.
12. When the original PDC emulator master is returned to service, return the role to the original domain controller.

Seizing the schema master role

* Consider this option only if the current operations master will never be available again.

1. Remove the current operations master from the network
2. Verify that the copy of the schema on the new operations master is up to date with the rest of the domain controllers in the forest.
3. Click Start, click Run, and then type cmd.
4. At the command prompt, type ntdsutil.
5. At the ntdsutil prompt, type roles.
6. At the fsmo maintenance prompt, type connections.
7. At the server connections prompt, type connect to server, followed by the fully qualified domain name.
8. At the server connections prompt, type quit.
9. At the fsmo maintenance prompt, type seize schema master.

10. At the fsmo maintenance prompt, type quit.

11. At the ntdsutil prompt, type quit.

Seizing the domain naming master role

* do this only if the current operations master will never be available again.

1. Remove the current operations master from the network
2. Verify that the new operations master is up to date.
3. Click Start, click Run, and then type cmd.
4. At the command prompt, type ntdsutil.
5. At the ntdsutil prompt, type roles.
6. At the fsmo maintenance prompt, type connections.
7. At the server connections prompt, type connect to server, followed by the fully qualified domain name.
8. At the server connections prompt, type quit.
9. At the fsmo maintenance prompt, type seize domain naming master.
10. At the fsmo maintenance prompt, type quit.
11. At the ntdsutil prompt, type quit.

Case Studies

Below are the links to some case studies. You should go through them and make yourself familiar with the way their stories are structured. Look at how Microsoft interprets these cases. Know what are considered as the best options for each case.

"A multinational financial services organization comprised of seven separate operating companies has primary headquarters located in North America, Europe, Asia Minor, and Southeast Asia. Over 50 major regional offices provide a complete range of financial services (investment and personal banking, asset management and insurance). Each operating company is an autonomous business unit; however, at the local level, each company might share offices with one or more operating companies."

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-us/deploy/dgaf_map_lbdf.asp 

"A leading developer of computer-based operating system and applications software for consumer and business use has its main headquarters in the Western United States. The sales, support, and software development offices are located in 180 worldwide locations."

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-us/deploy/dgaf_map_fkab.asp

"Manufacturing is the primary business of this organization. Product assembly takes place at numerous locations in North America; however, their business offices are located all over the world, creating a highly distributed global computing environment. There are several primary product divisions with multiple product lines. The numerous internal teams distributed worldwide require diverse levels of access to customer and internal documents. The users in each division require a high level of client-based customization. Additionally, there are numerous vendors and subcontractors, some of whom need network access within the firewall, and others whose needs require only external access. Network administrators need to provide varying levels of security based on the needs of each unique internal and external team."

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/WINDOWS2000/techinfo/reskit/en-us/deploy/dgaf_map_sdyx.asp 

Further Readings on the web:

Best Practice Active Directory Design for Managing Windows Networks

This guide provides a step-by-step methodology based on best practices learned from customers that have already deployed Active Directory in their organizations. It provides all the tasks and decisions you need to develop an Active Directory design to manage Windows networks.  

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/bpaddsgn.asp

Best Practice Active Directory Deployment for Managing Windows Networks

This guide provides step-by-step guidance for testing and piloting your design assumptions and deploying Active Directory in a production environment.

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/bpaddply.asp

Best Practices for Deploying Printer Location with Active Directory

This white paper provides best practices for publishing printers and maintaining printer information in Active Directory.

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addomain.asp

Windows 2000 Domain Architecture: Design Alternatives

This article discusses the pros and cons of various Active Directory deployment architectures and examines design alternatives.

http://www.microsoft.com/windows2000/technologies/directory/AD/redir-dpg.asp

Recommended Books:

MCSE Designing Windows 2000 Directory Services Study Guide (Exam 70-219) (Book/CD-ROM package)

by Littlejohn Debra Shinder (Editor), et al (Hardcover)

MCSE Training Guide (70-219): Designing Windows 2000 Directory Services Infrastructure

by Scott E. Archer (Hardcover)

MCSE Designing a Microsoft Windows 2000 Directory Services Infrastructure Readiness Review; Exam 70-219

by Jill Spealman, MeasureUp Inc. (Paperback)

MCSE Windows 2000 Directory Services Design Exam Notes Exam 70-219

by Robert King, Gary Govanus (Paperback)