Active Directory Knowledge: Administering a Windows 2000 Directory Service Infrastructure
Proving that you're ready to implement Active Directory requires a deep understanding of Group Policy, Domains, OUs and DNS.
by Alan R Carter
10/1/2000 --
 |
|
|
| Exam |
|
|
|
Implementing Active Directory (70-217) |
|
| Certification, Vendor |
|
|
|
MCSE 2000 (core exam), Microsoft |
|
| Status |
|
|
|
Live (Note: Beta version was reviewed for this article.) |
|
| Reviewer's Rating |
|
|
|
"To pass this one, be sure that Group Policy is your old, well used and thoroughly understood friend." |
|
| Test Information |
|
|
|
Adaptive format, multiple-choice questions, $100. |
|
| Who Should Take This Exam? |
|
|
|
Anyone pursuing the Windows 2000 track of the MCSE certification. |
|
| What Classes Prepare You? |
|
|
|
If already NT 4.0 certified, take class #1560. New MCSEs should take classes #2151, #2152 and #2154. |
|
| Test Objectives URL |
|
|
|
http://www.microsoft.com/ trainingandservices/exams/ examasearch.asp?PageID= 70-217 |
|
|
|
|
|
|
|
|
|
|
|
|
|
I'm pleased with what I've seen of the Windows 2000 MCSE exams. They're difficult enough to enhance the value of the MCSE certification, yet not excessively difficult to pass--if you have experience with the product and know how to use it to accomplish the tasks specified by the exam's objectives. This exam covers the essence of Win2K: Active Directory. If you're thoroughly comfortable with all aspects of AD and how to configure it, then you should be able to prove it to the world by passing this exam! If you have any weak areas, especially in the Group Policy arena, then you might want to spend some more time with the product.
The beta exam I took consisted primarily of multiple-choice questions, however, for the most part, they were fairly long. There was enough text in many of the questions to require me to scroll down just to finish reading the question and select an answer. I recommend you read the entire question and all of the answers. Many times I almost selected an answer and then noticed that the one below it was actually the correct answer because I had misread the one I was about to select.
The test objectives for this exam include:
- Installing, configuring, and troubleshooting Active Directory.
- Installing, configuring, managing, monitoring, and troubleshooting DNS for AD, change and configuration management, and AD security solutions. Managing, monitoring, and troubleshooting Certificate Services and Network Address Translation (NAT).
- Managing, monitoring, and optimizing the components of AD.
Installation and Configuration of AD
Wow! This sounds like a pretty comprehensive objective! Actually, it really only covers two areas--installing, configuring, and troubleshooting the components of AD, and backing up and restoring AD.
The components of AD covered by this section include most of the structural elements such as sites, subnets, site links, site link bridges, and so forth. This is primarily a list of all of the AD elements associated with replication. Don't try to skimp on your preparation for this part of the exam or you'll miss some of these questions. Also, make sure that you not only know how to create and configure each of the AD elements, but also know when to use each.
This section of the exam is also concerned with operations master roles and transferring those roles to different servers. Be sure you know what tool to use to perform this task. You can use AD Users and Computers to transfer the relative ID master, the Primary Domain Control (PDC) emulator, or the infrastructure master role. You can use the AD Schema snap-in to the Microsoft Management Console (MMC) to transfer the schema master role. And finally you can use AD Domains and Trusts to transfer the domain naming master. Alternatively, you can use the ntdsutil.exe command line utility to transfer or seize any of these roles.
Spend time learning about backing up and restoring AD. The backup program that comes with Win2K can be used to back up and restore AD; however, you can't just choose to back up AD; you have to back up System State Data
DNS Dexterity
This section of the exam should be called, "Everything you always wanted to know about Win2K DNS and were afraid they would ask you about on the exam." The main focus of this set of objectives is installing DNS, integrating AD DNS zones with non-AD zones, configuring zones for automatic updates, and managing the replication of DNS data.
Installing DNS is fairly straightforward; however, you should keep in mind that only DNS servers that are installed on domain controllers can host AD-integrated zones.
Integrating AD-integrated zones with non-integrated zones is a little more complicated. Servers that host AD-integrated zones function as the primary servers for those zones. There can only be one primary server for a zone, unless the zone is configured as an AD-integrated zone. In that case, each of the servers that host the AD-integrated zone function as primary servers for the zone. Any additional, non-AD-integrated servers function as secondary servers for the zone.
Configuring zones for automatic update is fairly straightforward on the DNS server, but can be somewhat confusing when configuring clients and DHCP servers to interact with the DNS server. Win2K computers automatically register their A records (host name to IP address records) with the DNS server. Non-Win2K computers don't automatically register their records with the DNS server; you must configure the DHCP server to do that for them.
Last, there's the issue of replicating DNS data. If all of the zones are AD-integrated zones, you don't need to configure DNS replication, because it will occur whenever AD replication occurs. This is often the most efficient method of replicating DNS data. If all zones aren't integrated, you'll have to manually configure replication between DNS servers for each zone.
Change and Configuration Management
This section of the exam contains the most objectives, and therefore you might expect more test questions. This section focuses on two primary areas: Group Policy and Remote Installation Services (RIS). Group Policy is a new feature in Win2K, and it affects a wide range of Win2K functionality, including user environments, security policy, script policy, and deploying and maintaining software. Needless to say, don't skimp on your studies in this area.
Group Policy settings can be inherited from parent containers within AD. The Group Policy settings on each container are applied in a specific order, and if settings in various GPOs conflict, the last GPO applied takes precedence.
When using Group Policy to install software, it's critical to keep in mind whether the software is published to a user, assigned to a user, or assigned to a computer. If an application is published to a user, it will be automatically installed by default if the user attempts to open a file associated with that application, and it will be listed in Add/Remove Programs for manual installation. If the application is assigned to a user, a shortcut to the application will be placed in the user's Start menu. The application will be automatically installed when the shortcut is selected or when the user attempts to open a file associated with that application. Finally, if the application is assigned to the computer, it will be fully installed on the computer the next time the computer is rebooted.
RIS is a complex topic in itself. Become thoroughly familiar with the RIS process before the exam. RIS servers store two types of images that can be installed on RIS clients: CD-based images and images created by using the RIPrep utility. Disk images created by using Sysprep can't be deployed by using RIS. Only client computers that have PXE-compliant network adapters or that have network adapters that will work with a RIS boot disk can be used with RIS.
The only way to provide load-balancing for RIS servers on your network is by prestaging new client computers to the appropriate image on the appropriate RIS server. RIS doesn't provide any other method of load balancing.
AD Components
This section covers three areas: managing objects in AD, managing AD performance, and configuring and troubleshooting AD replication.
Managing objects in AD involves creating objects, moving objects, publishing resources, searching for resources, controlling access to objects, delegating control, and, of course, creating and managing objects by using scripting. Make sure you know how to perform each of these tasks, and be very sure you understand how security is applied to objects. Also, you probably don't have to be a scripting expert, but you should know when to use a script and what can be done by using a script.
Managing performance of AD involves a lot of issues, especially when WAN links are involved. Remember that a user's computer must contact a DNS server, domain controller and a global catalog server to log a user on. It's usually a good idea to have a server that functions in these roles located in each site that contains users. If a user's computer must contact these servers across squeezed WAN links, AD performance can slow down significantly for that user.
You can also increase performance of AD by defragmenting and consolidating free space within the AD database file (ntds.dit), or by moving the database file to another volume that is faster or has more free space. To perform either of these tasks, boot the computer to AD Restore Mode and use the appropriate commands in ntdsutil.exe.
Managing AD replication involves creating sites and subnets, placing computers in the appropriate sites, creating and configuring site links and site link bridges, and configuring replication options.
AD Security Solutions
This section of the test objectives covers configuring security policies in Group policy, configuring security by using Security Templates and the Security Configuration and Analysis tool, implementing an audit policy, and monitoring security events.
Here we go again--more Group Policy. It's probably a good idea to open up a GPO, and view the various security settings you can configure in one. Remember that settings made in Local Group Policy (Group Policy on an individual computer) are overridden by Group Policy settings in AD.
Security Configuration and Analysis is a tool that can be used to compare a computer's security configuration against a predefined security configuration in a Security Template, and also to apply the settings in the template to the computer.
This section also deals with auditing. The main thing to remember when configuring an audit policy is that if you want to configure file or printer auditing, you must set that up and also configure an audit policy to track success and failure of object access.
Show the World You Have What It Takes
A thorough understanding of AD is an absolute necessity for all network professionals who plan to use or implement Win2K. Anyone can install Win2K, but in order to achieve its full potential, you need to have extensive knowledge of AD, including domains, OUs, DNS and Group Policy. Of course, once the workings of Active Directory are second nature to you, and you're comfortable implementing it in various types of network environments, you'll want to show the world you have what it takes to be a mover and shaker in a Windows 2000 world by passing this exam. Good luck! 
This article reprinted from Microsoft Certified Professional Magazine.
Have you taken this exam? Let us know what you think -- Rate it below!
Alan R. Carter, MCSE+Internet, MCT, has installed and supported complex networks while working on staff for national and regional value-added resellers. Alan is an independent trainer and the author of two books from IDG: Windows NT 4.0 MCSE Study Guide and Windows 2000 MCSE Study System. Alan can be reached at .
More articles by Alan R Carter:
|
