Exam Reviews

70-294: Active Directory Planner

Learning how to work with directory services is a long journey that involves trusts, policies and organizational understanding, along with the tools that make the operating system hum.

The new 70-294 exam about Active Directory requires specific knowledge and working experience with Windows Server 2003 forests, domains, sites, Group Policies and trusts. You'll be required to prove your knowledge of AD administration. Proving your design skills with AD comes later in exam 70-297. If you take these MCSE exams in the suggested order, after passing 70-294, the Active Directory design exam should be much easier since you'll be familiar with Active Directory from A to Z!

If you tackled 70-217, the Windows 2000 directory services infrastructure exam, you'll find differences. In the new test, you'll encounter questions relating to new technologies such as forest trusts, universal group caching, and forest and domain functional levels.

For this review, I tackled the beta version of the exam. Let's look at what you'll need to do to prepare.

Planning and Implementing AD
The first exam objective, Planning and Implementing an AD Infrastructure, includes a myriad of topics: proper planning and placement of global catalogs (GCs) and FSMOs (Flexible Single Master Operations); forest, domain and site structures and topologies; and administrative delegation.

The rule of thumb remains the same: one GC per site. A GC is a domain controller that holds a copy of all objects in a forest. It's created automatically during installation of the first domain controller in the first domain. GC functionality can be added to other domain controllers with the AD Sites and Services snap-in. GCs support AD in the following scenarios: They allow users to finds objects and supply UPN authentication and universal group membership lists. New to Windows Server 2003, DCs can be enabled to support universal group (UG) caching. UG caching is also enabled with the AD Sites and Services snap-in. UG caching speeds logon times, eliminates the need for extra hardware and minimizes bandwidth usage since only UG memberships are replicated.

Not much has changed since Windows 2000 in regards to FSMOs except they're now more commonly referred to as "operations master roles servers." There are five in all: schema master, domain naming master, RID master, PDC emulator and infrastructure master.

Tip: Your best bet when preparing for operations master roles servers questions on this exam is to refer to this short KnowledgeBase article, "FSMO Placement and Optimization on Windows 2000 Domain Controllers," (click here) on flexible operations master roles servers.

Table 1. Requirements for three of the certification paths toward the MCSE on Windows 2003. Exam 70-294 is required for those starting afresh and candidates who've already obtained an MCSA on Windows 2000. Candidates with an MCSE on Windows 2000 can bypass this exam.
Core Exams MCSE-Windows 2003 Normal Path MCSA-Windows 2000 Accelerated Path MCSE-Windows 2000
70-290: Managing and Maintaining a Windows Server 2003 Environment   70-292: Managing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000
70-291: Implementing, Managing and Maintaining a Windows Server 2003 Network Infrastructure
70-293: Planning and Maintaining a
Windows Server 2003 Network Infrastructure
70-296: Planning, Implementing and Maintaining a Windows Server 2003 Environment for an MCSE Certified on Windows 2000
70-294: Planning, implementing and Maintaining a
Windows Server 2003 Active Directory Infrastructure
Core Client (take one)
70-210: Installing, Configuring and Administering Windows 2000 Professional No additional Core Client Exam required. No other core or elective requirements necessary for MCSE-Windows 2000.
70-270: Installing, Configuring and Administering Windows XP Professional
xxxCore Design (take one)
70-297: Designing a Windows Server 2003
Active Directory and Network Infrastructure
(Note: May be used as Design requirement or elective, but not both)
70-298: Designing Security for a Windows Server 2003 Network (Note: May be used as Design requirement or elective, but not both)

Windows 2000 forests and domains are readied for Windows 2003 DCs with the new utility ADprep.exe. ADprep helps make sure that a Windows 2000 forest and domain contain the additional objects, attributes and permissions to support the Windows 2003 AD environment. ADprep offers the following command-line options:

  • adprep /forestprep: runs forest upgrade (must be completed first)
  • adprep /domainprep: runs domain upgrade

Tip: DCpromo is used to promote a server to the domain controller role for a domain.

Domain functional levels are an extension of the mixed/native mode concept introduced in Windows 2000. Using the AD domains and trusts snap-in, you can scan, view and change the domain functional levels.

Domain functional levels are as follows: Windows 2000 mixed (default, with all DC types supported, NT 4.0, Win2K, Windows 2003), Windows 2000 native (Win2K and Windows 2003 DCs only), Windows 2003 interim (a special mode used during an NT 4.0 to Windows 2003 upgrade) and Windows 2003 (Windows 2003 DCs only). In this last mode, the new utilities for domain controller and domain rename are available and support for cross forest trusts exists! You can download the domain rename tools by clicking here.

Tech Tip: Running Active Directory on Windows Server 2003 Web edition isn't supported, but these servers can belong to a domain.

70-294: Planning Active Directory

Reviewer's rating
This exam, an update to 70-217, will test your knowledge of Windows Server 2003 forests, domains, sites, Group Policies and trust relationships.

Available August 28, 2003

Exam Title
Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (70-294)

Who Should Take It
Core for the MCSE on Windows Server 2003

Preparation Guide

An Active Directory structure includes the forest root domain, child domains, application data partitions, domain controllers, functional levels (as noted above) and trust relationships. This TechNet article on Active Directory partitions (click here) describes their benefits and use.

Other than the default, implicit, two-way, transitive trusts that are created automatically when Windows 2000 and Windows 2003 domains are present in a forest, the available types are:

  • Explicit domain trusts. Relationships that you create yourself as opposed to those created automatically during the addition of domains. You create and manage trusts using the AD Domains and Trusts snap-in. There are two types of explicit trusts: external and shortcut. External trusts enable user authentication to a domain outside of a forest. Shortcut trusts shorten the trust path in a complex forest.
  • Forest trust. This allows an easier method of resource sharing when business needs whether planned or unplanned, have complicated things. This document (click here) is required reading for this exam and sums up multiple-forest trust relationships.

The final topic in this objective is administrative delegation. Designing your forests, domains and OUs for administrative delegation is the primary reason for such a hierarchy. Be prepared to tackle questions in which you need to decide which hierarchy of domains and OUs will allow the most efficient placement of Group Policies. Understanding the inheritance behavior of Group Policies and the options Block Policy inheritance and No Override will certainly help in the testing center! Read "Introduction to Group Policy in Windows Server 2003" (click here) for more.

Requirements Spelled Out

Exam 70-294 is a core requirement for anyone wanting to be certified as an MCSE on Windows Server 2003 (see Table 1 for the other exams you must take). Of course, if you're already certified on Windows 2000, you can bypass this one and go straight to 70-292 and 70-296 for the MCSE upgrade. These exams won't encompass a beta testing period since they'll include questions from other Windows 2003 exams such as this one.

Managing and Maintaining AD
The next exam objective, Managing and Maintaining an Active Directory Infrastructure, tests your expertise in managing a forest and domain structure, configuring site replication schedules, link costs and boundaries, monitoring AD and FRS replication and authoritative and non-authoritative AD restore operations. The best place to start is with all the administrative tools:

  • Active Directory Users and Computers (ADUC) for domain user and group management
  • Active Directory Sites and Services (ADSS) for site management
  • Active Directory Domains and Trusts (ADDT) for domain trust management
  • Replmon (AD Replication Monitor) for monitoring replication links
  • Event Viewer, of course, for its application and system logs

Tech Tip: Sonar.exe is a command-line and GUI version tool available for Windows 2000 and Windows 2003 that allows you to monitor the file replication service of replica members in order to monitor traffic levels, backlogs and free space.

Using these tools and understanding their capabilities and limitations will be invaluable in your work with AD. Replmon is slick! It's installed from the Support\Tools directory of the product CD and offers many AD replication statistics and logs. It allows you to show replication topologies, available GCs and FSMOs, BridgeHead servers and trust relationships, to name a few.

Active Directory Services Interface (ADSI) Editor, a low-level editor and search tool, is also one of those tools you can't do without when managing AD. DCdiag is another useful tool that can query the state of a domain controller, report any problems and assist in troubleshooting.

Using the advanced server boot option, "Directory Services Restore Mode," along with NTDSutil.exe, you should be prepared to address questions involving AD authoritative and non-authoritative restores. Review this brief KB article (click here) prior to taking the exam.

Tip: An authoritative Active Directory database restore on a domain controller occurs after a non-authoritative restore and designates the entire directory, subtree or individual object restored to be the most recent. This one will be synced to other all DCs.

User, Computer and Group Strategies
The third exam objective, Planning and Implementing User, Computer, and Group Strategies, tests your abilities in planning a security group and user authentication strategy with password policy, as well as planning and implementing an OU structure. I strongly suggest you review chapters two, three and four of "Windows Server 2003 Deployment Kit: Designing a Managed Environment" (click here).

I also recommend that you refer to my earlier discussion on administrative delegation and the resources I suggested. Remember that a Windows domain is a "security policy" boundary and only one password policy per domain is supported.

In implementing an OU structure, be sure you understand the hierarchy of domains, OUs and child OUs. The TechNet article, "Designing an OU Structure that Supports Group Policy" (click here), will get you started.

There are a few new delegation of authority permissions types when you right-click an OU and select Delegate Control, including the RSoP (Resultant Set of Policies) planning and configuration modes. Understand how and where delegation of authority can be used.

Tip: To move objects within an OU hierarchy, simply right-click and select move.

10 Things To Practice
  1. Plan, deploy and manage Group Policies with GPMC and RSoP. You'll need to download the GPMC add-on for Windows Server 2003 and practice, practice, practice.
  2. Plan, deploy and manage forests, domains and OUs. Even with only one server, you can still perform all the necessary planning, deployment and management you'll need to master in this topic.
  3. Create and manage inter and intra-forest trust relationships. With at least two servers or VMWare, you can create multiple forests and trust relationships.
  4. Troubleshoot AD. There's no easy way to master troubleshooting so try anything you can think of in your lab to get experience. the TechNet article, "Active Directory in Windows
    2003" (click here) and understand the possible errors diagramed in the flowcharts.
  5. Create and configure Group Policies. This is easy enough if you spend the time and understand what's required. There are over 200 new GPO settings available in Windows Server 2003. With the new Group Policy Management Console, this is easier to understand than it was with Windows 2000.
  6. Configure sites, links, bridgehead servers and cost. With at least two servers or VMware, you can configure sites, links, bridgehead servers and replication cost values even if you don't have separate network segments. With the ADSS snap-in, this becomes easier the more you practice.
  7. Raise the functional level of a forest and domain. This is something you'll really want to dig into, as it can be complicated. Using either the ADUC or ADDT snap-in, right-click the domain and select Raise Domain Functionality.
  8. Enable universal group caching on a DC. This is an easy task but a new feature, so be sure to try it at least once. Using the ADSS snap-in, right-click the server's NTDS settings and select Enable Universal Group Membership Caching.
  9. Explore all the reporting features found in Replmon. Load the support tools from the CD and explore this invaluable tool even if you don't have a complex AD lab. Check the Server Properties option while you're there.
  10. Understand the modes of RSoP and when they're most useful. This exam topic is present in the 70-293 exam so it's time to get a handle on all that RSoP offers if you don't already have one. Use the planning and logging modes against your newly created GPOs from # 1 above.

Planning Group Policy
The next objective is Planning and Implementing Group Policy. The topics included here range from planning a Group Policy strategy for users and computers to configuring the user environment using Group Policies and deploying a computer environment using Group Policies. Did I mention that this exam might include a lot of Group Policy-related questions?!

There are many resources available to bring you up to speed with Group Policies. I suggest you pick up a book on the topic. Some have been out for a few years and still withstand the test of time. Others will be released by the time this test surfaces.

I also suggest you read the Group Policy Management Console white paper, "Administering Group Policy with the GPMC" (click here).

Tech Tip: Download the GPMC add-on (click here).

Managing Group Policy
The final objective in this exam is Managing and Maintaining Group Policy. This objective includes such topics as troubleshooting issues related to Group Policies using tools such as RSoP and GPresult and maintaining software using GPs.

When it comes to troubleshooting, here's the number one recommended resource besides hands-on experience: "Troubleshooting Group Policy in Windows Server 2003" (click here).

For maintaining software using GPOs, I refer you back to the "Windows Server 2003 Deployment Kit: Designing a Managed Environment book," chapters eight and nine (click here).

Tip: GPresult must be run from the local computer where the user is logged on to and Group Polices are applied. Along with the /u or /c switch, you can find the applied GPOs for the user or computer only.

For more information on RSoP, I suggest this TechNet reference for your reading enjoyment (click here).

Additional Information

The exam guidelines are available by clicking here.

Study resources for Windows Server 2003 can be found within the help and documentation of the product. Of course, you'll also want as much hands-on practice as you can obtain. If your company hasn't made the move yet, work with the 180-day evaluation (click here).

There's also a lot of information available online from Microsoft such as at the Windows Server Community (click here).

One of the best study resources I found for this exam is the "Windows Server 2003 Security Guide," which you can download by clicking here.

You can also take the Microsoft official training course at your local CTEC from an MCT:

  • 2279: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure (5 days)

Microsoft Press offers this self-study material:

Final Report
If you've been following along with this series of exam reviews, then you know that this wraps up the core server tests you'll be tackling. Add a client test, as well as some electives, and you'll be able to call yourself an MCSE on Windows Server 2003. In the course of doing that, you'll have strengthened your knowledge of networking, directory services, security and more. That, in turn, will enable you to do your job more effectively and tell the listening world that you're at the front of the latest operating system technology from Microsoft. I consider this a worthy goal for an IT professional—and I wish you good luck in your pursuit of it!


comments powered by Disqus

Subscribe on YouTube