Exam Reviews

Active Directory Knowledge

Proving that you're ready to implement Active Directory requires a deep understanding of Group Policy, Domains, OUs, and DNS.

I'm pleased with what I've seen of the Windows 2000 MCSE exams. They're difficult enough to enhance the value of the MCSE certification, yet not excessively difficult to pass-if you have experience with the product and know how to use it to accomplish the tasks specified by the exam's objectives. This test covers the essence of Win2K: Active Directory. If you're thoroughly comfortable with all aspects of AD and how to configure it, then you should be able to prove it to the world by passing this exam! If you have any weak areas, especially in the Group Policy arena, then you might want to spend some more time with the product.

Implementing Active Directory (70-217)

Reviewer's Rating: "To pass this one, be sure that Group Policy is your old, well used, and thoroughly understood friend."

Title: Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

Who should take it? Core exam for the MCSE Windows 2000 track.

What classes prepare you?
For existing NT 4.0 MCSEs:

  • No. 1560: Updating Support Skills from NT 4.0 to Win2K

For new MCSE candidates:

  • No. 2151: Win2K Network & OS Essentials
  • No. 2152: Supporting Win2K Pro
  • No. 2154: Implementing and Administering Directory Services

The beta exam I took consisted primarily of multiple-choice questions, however, for the most part, they were fairly long. There was enough text in many of the questions to require me to scroll down just to finish reading the question and select an answer. I recommend you read the entire question and all of the answers. Many times I almost selected an answer and then noticed that the one below it was actually the correct answer because I had misread the one I was about to select

  • Installing, configuring, and troubleshooting Active Directory.

  • Installing, configuring, managing, monitoring, and troubleshooting DNS for AD, change and configuration management, and AD security solutions.

  • Managing, monitoring, and optimizing the components of AD.

Installation and Configuration of AD

Wow! This sounds like a pretty comprehensive objective! Actually, it really only covers two areas-installing, configuring, and troubleshooting the components of AD and backing up and restoring AD.

The components of AD covered by this section include most of the structural elements such as sites, subnets, site links, site link bridges, and so forth. This is primarily a list of all of the AD elements associated with replication. Don't try to skimp on your preparation for this part of the exam or you'll miss some of these questions.

Tip: Ensure that you not only know how to create and configure each of these elements, but also when to use each one.

This section of the exam is also concerned with operations master roles and transferring those roles to different servers. Be sure you know what tool to use to perform this task. You can use AD Users and Computers to transfer the relative ID master, the Primary Domain Control (PDC) emulator, or the infrastructure master role. You can use the AD Schema snap-in to the Microsoft Management Console (MMC) to transfer the schema master role. And finally you can use AD Domains and Trusts to transfer the domain naming master. Alternatively, you can use the ntdsutil.exe command line utility to transfer or seize any of these roles.

Spend time learning about backing up and restoring AD. The backup program that comes with Win2K can be used to back up and restore AD; however, you can't just choose to back up AD; you have to back up System State Data.

Tip: To restore AD, you must use a special start-up option called AD Restore Mode. Start the Win2K server using this option and restore the system state data. And, by the way, if you want to replicate this restored data to other domain controllers in the domain, you have to perform an "Authoritative Restore." Use the ntdsutil.exe utility to manually mark the restored data (or any portion of the restored data) as authoritative.

DNS Dexterity

This section of the exam should be called, "Everything you always wanted to know about Win2K DNS and were afraid they would ask you about on the exam." The main focus of this set of objectives is installing DNS, integrating AD DNS zones with non-AD zones, configuring zones for automatic updates, and managing the replication of DNS data.

Installing DNS is fairly straightforward; however, you should keep in mind that only DNS servers that are installed on domain controllers can host AD-integrated zones.

Integrating AD-integrated zones with non-integrated zones is a little more complicated. Servers that host AD-integrated zones function as the primary servers for those zones.

Tip: There can only be one primary server for a zone, unless the zone is configured as an AD-integrated zone. In that case, each of the servers that host the AD-integrated zone function as primary servers for the zone. Any additional, non-AD-integrated servers function as secondary servers for the zone.

Configuring zones for automatic update is fairly straightforward on the DNS server, but can be somewhat confusing when configuring clients and DHCP servers to interact with the DNS server. Win2K computers automatically register their A records (host name to IP address records) with the DNS server. Non-Win2K computers don't automatically register their records with the DNS server; you must configure the DHCP server to do that for them.

Tip: If you want PTR records (reverse lookup or IP address to host name records) to be automatically registered for Win2K computers, you must configure the DHCP server to perform that task for the Win2K computers.

Last, there's the issue of replicating DNS data. If all of the zones are AD-integrated zones, you don't need to configure DNS replication, because it will occur whenever AD replication occurs. This is often the most efficient method of replicating DNS data. If all zones aren't integrated, you'll have to manually configure replication between DNS servers for each zone.

Change and Configuration Management

This is the section of the exam that contains the most objectives, and therefore you might expect more test questions. This section focuses on two primary areas, Group Policy, and Remote Installation Services (RIS). Group Policy is a new feature in Win2K, and it affects a wide range of Win2K functionality, including user environments, security policy, script policy, and deploying and maintaining software. Needless to say, don't skimp on your studies in this area.

Group Policy settings can be inherited from parent containers within AD. The Group Policy settings on each container are applied in a specific order, and if settings in various GPOs conflict, the last GPO applied takes precedence.

Tip: GPOs are applied in the following order: Site, domain, then OU. If multiple OUs exist in a hierarchical tree, what's applied last is the GPO associated with the OU that actually contains the user or computer to which the Group Policy is being applied.

When using Group Policy to install software, it's critical to keep in mind whether the software is published to a user, assigned to a user, or assigned to a computer. If an application is published to a user, it will be automatically installed by default if the user attempts to open a file associated with that application, and it will be listed in Add/Remove Programs for manual installation. If the application is assigned to a user, a shortcut to the application will be placed in the user's Start menu. The application will be automatically installed when the shortcut is selected or when the user attempts to open a file associated with that application. Finally, if the application is assigned to the computer, it will be fully installed on the computer the next time the computer is rebooted.

RIS is a complex topic in itself. Become thoroughly familiar with the RIS process before the exam. RIS servers store two types of images that can be installed on RIS clients: CD-based images and images created by using the RIPrep utility. Disk images created by using Sysprep can't be deployed by using RIS. Only client computers that have PXE-compliant network adapters or that have network adapters that will work with a RIS boot disk can be used with RIS.

Tip: The only way to provide load-balancing for RIS servers on your network is by prestaging new client computers to the appropriate image on the appropriate RIS server. RIS doesn't provide any other method of load balancing.

AD Components

This section covers three areas: managing objects in AD, managing AD performance, and configuring and troubleshooting AD replication.

Managing objects in AD involves creating objects, moving objects, publishing resources, searching for resources, controlling access to objects, delegating control, and, of course, creating and managing objects by using scripting. Make sure you know how to perform each of these tasks, and be very sure you understand how security is applied to objects. Also, you probably don't have to be a scripting expert, but you should know when to use a script and what can be done by using a script.

Managing performance of AD involves a lot of issues, especially when WAN links are involved. Remember that a user's computer must contact a DNS server, domain controller, and a global catalog server to log a user on. It's usually a good idea to have a server that functions in these roles located in each site that contains users. If a user's computer must contact these servers across squeezed WAN links, AD performance can slow down significantly for that user.

Tip: You can also increase performance of AD by defragmenting and consolidating free space within the AD database file (ntds.dit), or by moving the database file to another volume that is faster or has more free space. To perform either of these tasks, boot the computer to AD Restore Mode and use the appropriate commands in ntdsutil.exe.

Managing AD replication involves creating sites and subnets, placing computers in the appropriate sites, creating and configuring site links and site link bridges, and configuring replication options.

Tip: Spend some time in the lab playing with various methods of configuring replication. You'll be glad you did when you actually take the exam!

AD Security Solutions

This section covers configuring security policies in Group policy, configuring security by using Security Templates and the Security Configuration and Analysis tool, implementing an audit policy, and monitoring security events.

Here we go again-more Group Policy. It's probably a good idea to open up a GPO, and view the various security settings you can configure in one. Remember that settings made in Local Group Policy (Group Policy on an individual computer) are overridden by Group Policy settings in AD.

Security Configuration and Analysis is a tool that can be used to compare a computer's security configuration against a predefined security configuration in a Security Template, and also to apply the settings in the template to the computer.

Tip: You can use the command-line version of the Security Configuration and Analysis tool (secedit.exe) to automate the process of applying the settings in a template to multiple computers. Simply place the appropriate commands in a computer's startup or shutdown script, and the template's settings will be applied to the computer.

This section also deals with auditing. The main thing to remember when configuring an audit policy is that if you want to configure file or printer auditing, you must set that up and also configure an audit policy to track success and failure of object access.

Additional Information
To prepare for this exam, begin by reading Microsoft's Exam Preparation Guide at www.microsoft.com/trainingandservices/exams/

Show the World You Have What It Takes

A thorough understanding of AD is an absolute necessity for all network professionals who plan to use or implement Win2K. Anyone can install Win2K, but in order to achieve its full potential, you need to have extensive knowledge of AD, including domains, OUs, DNS, and, Group Policy. Of course, once the workings of Active Directory are second nature to you and you're comfortable implementing it in various types of network environments, you'll want to show the world you have what it takes to be a mover and shaker in a Windows 2000 world by passing this exam. Good luck!


comments powered by Disqus

Subscribe on YouTube