CertCities.com -- The Ultimate Site for Certified IT Professionals
Post Your Mind in the CertCities.com Forums Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+™
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... Exam Reviews ..Exam Review Article Sunday: December 18, 2011



Active Directory Knowledge: Administering a Windows 2000 Directory Service Infrastructure
Proving that you're ready to implement Active Directory requires a deep understanding of Group Policy, Domains, OUs and DNS.


by Alan R Carter

10/1/2000 --
Exam Spotlight

Exam  Implementing Active Directory (70-217)
Certification, Vendor MCSE 2000 (core exam), Microsoft
Status Live (Note: Beta version was reviewed for this article.)
Reviewer's Rating "To pass this one, be sure that Group Policy is your old, well used and thoroughly understood friend."
Test Information Adaptive format, multiple-choice questions, $100.
Who Should Take This Exam? Anyone pursuing the Windows 2000 track of the MCSE certification.
What Classes Prepare You? If already NT 4.0 certified, take class #1560. New MCSEs should take classes #2151, #2152 and #2154.
Test Objectives URL http://www.microsoft.com/ trainingandservices/exams/ examasearch.asp?PageID= 70-217
I'm pleased with what I've seen of the Windows 2000 MCSE exams. They're difficult enough to enhance the value of the MCSE certification, yet not excessively difficult to pass--if you have experience with the product and know how to use it to accomplish the tasks specified by the exam's objectives. This exam covers the essence of Win2K: Active Directory. If you're thoroughly comfortable with all aspects of AD and how to configure it, then you should be able to prove it to the world by passing this exam! If you have any weak areas, especially in the Group Policy arena, then you might want to spend some more time with the product.

The beta exam I took consisted primarily of multiple-choice questions, however, for the most part, they were fairly long. There was enough text in many of the questions to require me to scroll down just to finish reading the question and select an answer. I recommend you read the entire question and all of the answers. Many times I almost selected an answer and then noticed that the one below it was actually the correct answer because I had misread the one I was about to select.

The test objectives for this exam include:

  • Installing, configuring, and troubleshooting Active Directory.
  • Installing, configuring, managing, monitoring, and troubleshooting DNS for AD, change and configuration management, and AD security solutions. Managing, monitoring, and troubleshooting Certificate Services and Network Address Translation (NAT).
  • Managing, monitoring, and optimizing the components of AD.

Installation and Configuration of AD
Wow! This sounds like a pretty comprehensive objective! Actually, it really only covers two areas--installing, configuring, and troubleshooting the components of AD, and backing up and restoring AD.

The components of AD covered by this section include most of the structural elements such as sites, subnets, site links, site link bridges, and so forth. This is primarily a list of all of the AD elements associated with replication. Don't try to skimp on your preparation for this part of the exam or you'll miss some of these questions. Also, make sure that you not only know how to create and configure each of the AD elements, but also know when to use each.

This section of the exam is also concerned with operations master roles and transferring those roles to different servers. Be sure you know what tool to use to perform this task. You can use AD Users and Computers to transfer the relative ID master, the Primary Domain Control (PDC) emulator, or the infrastructure master role. You can use the AD Schema snap-in to the Microsoft Management Console (MMC) to transfer the schema master role. And finally you can use AD Domains and Trusts to transfer the domain naming master. Alternatively, you can use the ntdsutil.exe command line utility to transfer or seize any of these roles.

Spend time learning about backing up and restoring AD. The backup program that comes with Win2K can be used to back up and restore AD; however, you can't just choose to back up AD; you have to back up System State Data

DNS Dexterity
This section of the exam should be called, "Everything you always wanted to know about Win2K DNS and were afraid they would ask you about on the exam." The main focus of this set of objectives is installing DNS, integrating AD DNS zones with non-AD zones, configuring zones for automatic updates, and managing the replication of DNS data.

Installing DNS is fairly straightforward; however, you should keep in mind that only DNS servers that are installed on domain controllers can host AD-integrated zones.

Test Tip: PTR Records
If you want PTR records (reverse lookup or IP address to host name records) to be automatically registered for Win2K computers, you must configure the DHCP server to perform that task for the Win2K computers.
Integrating AD-integrated zones with non-integrated zones is a little more complicated. Servers that host AD-integrated zones function as the primary servers for those zones. There can only be one primary server for a zone, unless the zone is configured as an AD-integrated zone. In that case, each of the servers that host the AD-integrated zone function as primary servers for the zone. Any additional, non-AD-integrated servers function as secondary servers for the zone.

Configuring zones for automatic update is fairly straightforward on the DNS server, but can be somewhat confusing when configuring clients and DHCP servers to interact with the DNS server. Win2K computers automatically register their A records (host name to IP address records) with the DNS server. Non-Win2K computers don't automatically register their records with the DNS server; you must configure the DHCP server to do that for them.

Last, there's the issue of replicating DNS data. If all of the zones are AD-integrated zones, you don't need to configure DNS replication, because it will occur whenever AD replication occurs. This is often the most efficient method of replicating DNS data. If all zones aren't integrated, you'll have to manually configure replication between DNS servers for each zone.

Change and Configuration Management
This section of the exam contains the most objectives, and therefore you might expect more test questions. This section focuses on two primary areas: Group Policy and Remote Installation Services (RIS). Group Policy is a new feature in Win2K, and it affects a wide range of Win2K functionality, including user environments, security policy, script policy, and deploying and maintaining software. Needless to say, don't skimp on your studies in this area.

Test Tip: Group Policy
GPOs are applied in the following order: Site, domain, then OU. If multiple OUs exist in a hierarchical tree, what's applied last is the GPO associated with the OU that actually contains the user or computer to which the Group Policy is being applied.
Group Policy settings can be inherited from parent containers within AD. The Group Policy settings on each container are applied in a specific order, and if settings in various GPOs conflict, the last GPO applied takes precedence.

When using Group Policy to install software, it's critical to keep in mind whether the software is published to a user, assigned to a user, or assigned to a computer. If an application is published to a user, it will be automatically installed by default if the user attempts to open a file associated with that application, and it will be listed in Add/Remove Programs for manual installation. If the application is assigned to a user, a shortcut to the application will be placed in the user's Start menu. The application will be automatically installed when the shortcut is selected or when the user attempts to open a file associated with that application. Finally, if the application is assigned to the computer, it will be fully installed on the computer the next time the computer is rebooted.

RIS is a complex topic in itself. Become thoroughly familiar with the RIS process before the exam. RIS servers store two types of images that can be installed on RIS clients: CD-based images and images created by using the RIPrep utility. Disk images created by using Sysprep can't be deployed by using RIS. Only client computers that have PXE-compliant network adapters or that have network adapters that will work with a RIS boot disk can be used with RIS.

The only way to provide load-balancing for RIS servers on your network is by prestaging new client computers to the appropriate image on the appropriate RIS server. RIS doesn't provide any other method of load balancing.

AD Components
This section covers three areas: managing objects in AD, managing AD performance, and configuring and troubleshooting AD replication.

Managing objects in AD involves creating objects, moving objects, publishing resources, searching for resources, controlling access to objects, delegating control, and, of course, creating and managing objects by using scripting. Make sure you know how to perform each of these tasks, and be very sure you understand how security is applied to objects. Also, you probably don't have to be a scripting expert, but you should know when to use a script and what can be done by using a script.

Test Tip: AD Replication
Spend some time in the lab playing with various methods of configuring replication. You'll be glad you did when you actually take the exam!
Managing performance of AD involves a lot of issues, especially when WAN links are involved. Remember that a user's computer must contact a DNS server, domain controller and a global catalog server to log a user on. It's usually a good idea to have a server that functions in these roles located in each site that contains users. If a user's computer must contact these servers across squeezed WAN links, AD performance can slow down significantly for that user.

You can also increase performance of AD by defragmenting and consolidating free space within the AD database file (ntds.dit), or by moving the database file to another volume that is faster or has more free space. To perform either of these tasks, boot the computer to AD Restore Mode and use the appropriate commands in ntdsutil.exe.

Managing AD replication involves creating sites and subnets, placing computers in the appropriate sites, creating and configuring site links and site link bridges, and configuring replication options.

AD Security Solutions
This section of the test objectives covers configuring security policies in Group policy, configuring security by using Security Templates and the Security Configuration and Analysis tool, implementing an audit policy, and monitoring security events.

Here we go again--more Group Policy. It's probably a good idea to open up a GPO, and view the various security settings you can configure in one. Remember that settings made in Local Group Policy (Group Policy on an individual computer) are overridden by Group Policy settings in AD.

Test Tip: Security
You can use the command-line version of the Security Configuration and Analysis tool (secedit.exe) to automate the process of applying the settings in a template to multiple computers. Simply place the appropriate commands in a computer's startup or shutdown script, and the template's settings will be applied to the computer.
Security Configuration and Analysis is a tool that can be used to compare a computer's security configuration against a predefined security configuration in a Security Template, and also to apply the settings in the template to the computer.

This section also deals with auditing. The main thing to remember when configuring an audit policy is that if you want to configure file or printer auditing, you must set that up and also configure an audit policy to track success and failure of object access.

Show the World You Have What It Takes
A thorough understanding of AD is an absolute necessity for all network professionals who plan to use or implement Win2K. Anyone can install Win2K, but in order to achieve its full potential, you need to have extensive knowledge of AD, including domains, OUs, DNS and Group Policy. Of course, once the workings of Active Directory are second nature to you, and you're comfortable implementing it in various types of network environments, you'll want to show the world you have what it takes to be a mover and shaker in a Windows 2000 world by passing this exam. Good luck!

This article reprinted from Microsoft Certified Professional Magazine.

Have you taken this exam? Let us know what you think -- Rate it below!


Alan R. Carter, MCSE+Internet, MCT, has installed and supported complex networks while working on staff for national and regional value-added resellers. Alan is an independent trainer and the author of two books from IDG: Windows NT 4.0 MCSE Study Guide and Windows 2000 MCSE Study System. Alan can be reached at .
More articles by Alan R Carter:


There are 18 CertCities.com user Comments for “Active Directory Knowledge: Administering a Windows 2000 Directory Service Infrastructure”
The current user rating is: three stars - difficult, but manageable 1/2
Page 1 of 2
10/11/00: Anonymous says:
four stars - very difficult
Cool
10/12/00: Mark says:
three stars - difficult, but manageable
A good general administration exam. Fair and thorough.
10/13/00: Ken says:
four stars - very difficult
I took the exam on the 22nd of Sept and I found it to be a more reading comprehension. than technical understanding. Do not get me wrong. you must know your stuff but this is just my interpretation of the exam. Also the Exam was not in the Adaptive format.
10/13/00: Coby says:
five stars - true gurus only
I thought that the exam was fair and much better than Network+. It was not adaptive and a little more thorough than Network+.
10/31/00: Frank says:
three stars - difficult, but manageable
The questions where easy, only the answers was difficult. Lots of 'choose all that apply' 'choose 2 out of 4' 'choose 3 out of 8'. These questions are easy to miss. I felt very confident both before and during the test, but passed only with about 40 points. And I'm sure I lost the points in those 'choose.....' questions. All in all a very good exam!
12/27/00: Anonymous says:
five stars - true gurus only
I'm a college senior with zero experience...my comments? *snore* My networking final was tougher
1/11/01: Gerald says:
five stars - true gurus only
Reading comprehension? True enough but more importantly, the exam requires Critical Thinking skills. Thus, to be fully prepared, the individual must have good English skills and have good ability to assimilate a production-based scenario in order to field real-world quality exam questions. I took 12 pages of notes during the examination and was happy to see that it was not just another "brain-dump" type exam that people without computers could pass.
6/2/01: geoff says:
three stars - difficult, but manageable
I thought the exam was fair but also was difficult enought to be a true test
12/8/01: Nguyen Quang says:
five stars - true gurus only
Good, Thanks
2/26/02: joeylove.gun says:
three stars - difficult, but manageable
a test to take when you know whats up with novel

Exam Difficulty Rating Key
five stars - true gurus only true gurus only
four stars - very difficult very difficult
three stars - difficult, but manageable difficult, but manageable
two stars - somewhat challeging somewhat challeging
one star - cakewalk cakewalk
Your comment about: “Active Directory Knowledge: Administering a Windows 2000 Directory Service Infrastructure”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top