From  CertCities.com
Tips

My Top Top 10 Study Tips for the Designing a Win2K Directory Services Exam (70-219)
Greg Neilson walks you through the major study points for this MCSE Win2K exam.

by Greg Neilson

5/16/2001 -- This exam is an elective for the Windows 2000 MCSE stream and tests your knowledge of Active Directory design concepts in applying them to specific design scenarios. In this exam you won't get the same detailed technical treatment as you would during the Win2K MCSE core exams, but at the same time this isn't an exam you can fake it through. In order to pass you will need a good knowledge of AD design concepts and be able to apply them to the situations presented. Here is my list of top 10 tips for this exam:

1. Understand the New Exam Format
Microsoft's design exams use a scenario-based exam format that you need to be familiar with before you take the exam. Fortunately there are a couple of resources on Microsoft's Web site that can assist. Click here for a sample exam for these new kind of questions. Click here for a FAQ relating to the question format.
The exam itself has four scenarios, each with approximately 10 related questions to answer. The amount of text you will need to read is very, very large (see tip #2) -- the last thing you want to do is waste time trying to understand the question formats.

2. Take Good Notes During the Exam
As you read your way through each case study, make good use of the writing paper supplied at the testing center. There is so much to read in each of the four case studies that you can't afford the time to read the case study again completely when attempting to answer every question. Of course, you may be forced to do this due to the unexpected nature of some of the questions, but it would be handy to be able to refer to your notes. As you read through the case study, keep track of the relevant factors in the information provided that will affect your AD design. Much of the design rules of thumb you'll need to consider are presented in the next few points.

3. See the Forest Through the Trees
As you probably know, both forests and trees are domains in Win2K. Obviously, for this exam you need to know the difference between the two.

A tree features a contiguous namespace -- that is, all lower-level domains are based on the name of the root domain. For example, in a given tree you might have mycompany.com as the root domain, with eng.mycompany.com and mktg.mycompany.com as the lower domains. In contrast, if you have two domains called mycompany.com and yourcompany.com, these can't be in the same tree and would need to be in a forest instead.

A forest is a collection of one of more AD trees. Automatically each domain in a forest has a two-way trust with every other domain in the forest. If this isn't satisfactory and you need to have more control over trusts created between domains, then you need to put these domains into different forests.

Similarly, each forest has a common schema, which is only updateable by members of the Schema Admins group in the root domain of the forest. Conversely, if you need to have different schemas then this means you must be considering different forests.

Know both in and out before attempting to sit this exam.

4. Always Start with a Single Domain
As a starting point with any network design, look to use a single domain. This is both the preferred and simplest option.

Domains were the building block of Windows NT. All changes in account details in the domain and are replicated to all domain controllers in the domain. If the underlying network isn't able to handle the replication traffic along a relatively slow link, then this may mean that you need to create smaller domains so that this link isn't wasted with domain replication traffic.

Account polices, audit policies and Kerberos ticket policies are configured at the domain level, which means that if you need different policies in these areas then you are considering multiple domains. Also, you may have multiple domains if you upgrade in place from NT 4.0. One option you typically might consider when upgrading is to convert your existing NT 4.0 resource domains into OUs. This reduces the number of domains to support (and keep in mind each additional domain costs more and more resources) and instead you can delegate admin control of those resources to the OU.

5. See the Sites
If you have worked with Exchange in the past, then this concept of sites will be familiar to you already. If not, here's the lowdown: A site is one or more TCP/IP subnets that are connected by a permanent high-speed link. Exactly how fast is not often directly specified, but clearly a 56Kbps link is not and a 1.5Mbps link could be, depending on the existing link usage. Look for something close to LAN speeds (say 10Mbps) as a rule of thumb when looking at whether or not the two connected subnets can be part of the same site.

Within a site, communications between domain controllers are configured automatically. You need to explicitly configure links between sites.

6. Remember Domain Controller Redundancy
Domain controllers are, of course, used to process logons to AD. You would typically design for at least one domain controller per site to ensure responsive logons. For redundancy purposes, it is also a good idea to have at least two domain controllers per domain.

7. Know the What, When and Why of Operations Masters
You need to know what each of these actually do, then which are per-forest (schema master and domain naming master) and which are per-domain (infrastructure master, RID master and PDC emulator). Don't forget that because these are AD functions, all operations masters must already be domain controllers. The infrastructure master, which maintains user to group to user references, is typically the most loaded server, so it is recommended NOT to place this on the same server as the Global Catalog.

8. DNS, DNS and More DNS!
Active Directory needs DNS in order to operate, so you are going to need a good grasp of your options when considering DNS. Whatever DNS you use, it needs to be able to support SRV resource records so that your servers can be located, and also preferably dynamic DNS as well.

For this exam, you need to know whether an existing DNS is available for the company, and whether it can use SRV records and DDNS (UNIX hosts need to use BIND 8.2.1 and above to support this). If it doesn't support these or can't be reasonably upgraded, then an option is to delegate a subdomain that is used by AD and hosted on Win2K servers. This subdomain can then support DDNS and SRV records. For example, you might have to create a subdomain called win2k.mycompany.com.

Another decision point is whether you have an Internet presence and whether your internal DNS should share the same name as the external DNS. If they are, this makes things easy for the users to access the company Web site on the Internet, but makes more work for the firewall configuration. If the names are different, your users will be confused about having to access, for example, www.mycompany.com for the external site and www.myco.com for the internal site.

9. Roll Out the Organizational Units (OUs)
These allow us to delegate the management of users and computers to others, and can also be used to hide the existence of objects. By and large, your OU design will follow your admin model --- which can be by location, function, organization or a hybrid of these. OUs are an administration construct, so you needn't worry about users having to navigate your OU structure to locate resources. OUs are also useful when using Group Policy to make changes to multiple users or computers.

As an aside, one of the many differences between Microsoft's OUs in AD and Novell's OUs in NDS is that, in NDS, you can assign rights to the OU, which then means that all users within the OU then have these rights as well (since an object is always the security equivalent of the container object in which it belongs). Unfortunately, AD uses groups for this instead of OUs, so you can't assign rights to an OU in Windows 2000 and expect these to be available to the objects contained within it.

10. Read the Windows 2000 Server Resource Kit
Regardless of what study resource you use, I would recommend you check out two chapters from the Windows 2000 Server Resource Kit, Deployment Planning Guide: Chapter 9 (Designing the Active Directory Structure) and Chapter 10 (Determining Domain Migration Strategies ). These are good summaries of the task at hand in producing your AD design. The MOC for course 1561 is also worth viewing -- it has a number of decision trees that are worth memorizing for making your key design decisions, such as for DNS.

Well, there we have it. This should be a good start for your exam preparations. Good luck!


Greg Neilson, MCSE+Internet, MCNE, PCLP, is a Contributing Editor for Microsoft Certified Professional Magazine and a manager at a large IT services firm in Australia. He's the author of Lotus Domino Administration in a Nutshell (O'Reilly and Associates, ISBN 1-56592-717-6). You can reach him at Attn: Greg.

 

 

top

Copyright 2000-2009, 101communications LLC. See our Privacy Policy.
For more information, e-mail .