|
STUDY
GUIDE For MCSE Exam 70-217
Implementing
and Administering a Microsoft Windows 2000 Directory Services
Infrastructure
Installing and Configuring Active Directory
·
Install forests, trees, and domains
·
Automate domain controller installation
·
Create sites, subnets, site links, and connection objects
·
Configure server objects. Considerations include site
membership and global catalog designation
·
Transfer operations master roles
·
Verify and troubleshoot Active Directory installation
·
Implement an organizational unit (OU) structure
Installing, Configuring, Managing, Monitoring,
and Troubleshooting DNS for Active Directory
·
Install and configure DNS for Active Directory
·
Integrate Active Directory DNS zones with existing DNS
infrastructure
·
Configure zones for dynamic updates and secure dynamic
updates
·
Create and configure DNS records
·
Manage, monitor, and troubleshoot DNS
Configuring, Managing, Monitoring, Optimizing,
and Troubleshooting Change and Configuration Management
·
Implement and troubleshoot Group Policy
·
Create and modify a Group Policy object (GPO)
·
Link to an existing GPO
·
Delegate administrative control of Group Policy
·
Configure Group Policy options
·
Filter Group Policy settings by using security groups
·
Modify Group Policy prioritization
·
Manage and troubleshoot user environments by using Group
Policy
·
Install, configure, manage, and troubleshoot software by
using Group Policy
·
Manage network configuration by using Group Policy
·
Configure Active Directory to support Remote Installation
Services (RIS)
·
Configure RIS options to support remote installations
·
Configure RIS security
Managing, Monitoring, and Optimizing the
Components of Active Directory
·
Manage Active Directory objects
·
Move Active Directory objects
·
Publish resources in Active Directory
·
Locate objects in Active Directory
·
Create and manage objects manually or by using scripting
·
Control access to Active Directory objects
·
Delegate administrative control of objects in Active
Directory
·
Monitor, optimize, and troubleshoot Active Directory
performance and replication
·
Back up and restore Active Directory
·
Perform an authoritative and a non-authoritative restore of
Active Directory
·
Recover from a system failure
·
Seize operations master roles
Configuring, Managing, Monitoring, and
Troubleshooting Security in a Directory Services Infrastructure
·
Apply security policies by using Group Policy
·
Create, analyze, and modify security configurations by using
the Security Configuration and Analysis snap-in and the Security
Templates snap-in
·
Implement an audit policy
·
Monitor and analyze security events
Introduction to Active Directory
·
Windows 2000 Active Directory is an organized list of
objects, called directory objects, that provides centralized
management for scalable networks.
·
Objects are organized in a hierarchical structure rather than
physical location and can include:
o
Users
o
Groups
o
Computers
o
Shared resources
o
Security information
·
Windows 2000 Active Directory is a distributed directory
structure, whereby the information contained in the directory can be
spread across multiple domain controllers.
·
This provides fault tolerance as well as optimizing a single
point of access for the end user.
·
Windows 2000 Active Directory integrates the Internet
namespace and NT directory services by supporting the Lightweight
Directory Access Protocol (LDAP).
·
LDAP is an Internet standard used to exchange information
between applications and directories.
·
Two Domain Modes, which are implemented at the domain-level
and affect all domain controllers in the domain:
o
Mixed Mode: the default when you first install support for
Active Directory services, which can support both Windows NT and
Windows 2000 servers.
o
Native Mode: a one-way conversion to native mode is supported
when the network includes only domain controllers running Windows
2000.
·
Active Directory key concepts:
o
Objects: Object classes such as users, groups,
computers, services, printers, security policies, etc. are a
collection of object attributes.
o
Schema: A database structure made up of attribute
definitions and object definitions known as schema objects or
metadata (data about data). Adding new attributes can extend a
schema, however once an object is created it can be disabled but not
deleted.
o
Global Catalog: includes all Active Directory objects
(but not their attributes) in all of the domains. The global catalog
is used to locate resources and objects in different domains.
o
Replication: automatic updates of active directory
between servers.
Active Directory and Domain Names
·
Naming of objects in Active Directory is a critical issue.
·
Each Active Directory object must be uniquely identified.
·
Domain Name System (DNS) is required for Active Directory.
·
Object names must follow an established naming convention.
The following are common name formats:
·
LDAP Distinguished Name (DN)
·
LDAP Relative Distinguished Name (RDN)
·
User Principal Name (UPN)
Domain Name System (DNS)
·
Organized in a hierarchical structure known as the domain
namespace.
·
Individual computers are named by adding the computer name to
the left of the domain name.
·
Fully Qualified Domain Name (FQDN) identifies a name within
the domain namespace
Global Catalog
·
A master directory of
all objects in the forest and attributes of commonly used objects
·
Automatically created on
the first domain controller in a forest
·
Other domain controllers
can be configured to act as additional Global Catalog servers
Design examples
·
Single Domain: One
domain that is the first and only tree’s root domain as well as
the forest’s root. OU’s are used to build Active Directory and
should be kept to a minimum.
·
Tree with Multiple
Domains: Used when implementing different security policies in
remote offices, or limit administrative control between different
locations.
·
Forest with Multiple Trees:
Each tree has its own unique namespace and are all part of the same
Active Directory. Its root domain DNS name identifies each tree. The
trees share a common schema, configuration information and Global
Catalog
Active Directory Installation
·
DNS Services will be
installed during the installation of Active Directory.
·
Active Directory will be
installed on at least one domain controller. (Two or more for
fault-tolerance)
·
When installed on first
domain controller any local user and group accounts will be promoted
to Active Directory user and group accounts.
Domain Controller
·
Critical to Active
Directory services
·
A copy of Active
Directory is stored on every domain controller.
·
Responsible for
authenticating users, enforcing policies and finding Active
Directory objects
·
Changes to Active
Directory can be made at any domain controller and replicated to
others.
·
Installed as member
servers and promoted to domain controllers, unless upgraded from a
Windows NT Server 4.0 PDC.
Server requirements for promoting a Windows 2000
server to a domain controller
·
At least one NTFS 5
partition or volume
·
Initial available disk
space of 230 MB for Active Directory database (ntds.dit) and log
files (edb.log) which will be placed in \%systemroot%\NTDS
·
DNS server
Installation Methods and procedures
·
Active Directory
Installation Wizard
·
Dcpromo.exe (found in \%systemroot%\system32)
·
During installation a
location needs to be designated for the SYSVOL folder (defaults to
\%systemroot%\SYSVOL), which can only be placed on an NTFS 5 volume
or partition. The SYSVOL folder contains the server’s copy of the
Active Directory’s public files that will be replicated to all
domain controllers.
·
If no DNS server is
found during installation one must be configured or installed at
this time.
Post Installation
·
Local users and groups,
which were managed through the Computer Management tool, will be
disabled.
·
Active Directory
components will be added to Administrative Tools
Adding Domain Controllers
·
Fault tolerance in case
of domain controller failure
·
Performance Optimization
to efficiently handle user logons
·
Recommended that any
remote location with five or more users have a separate domain
controller.
Demoting a Domain Controller
·
Launch Dcpromo to
run wizard
Delegation of Administrative Control
·
Decentralizes security
management
·
Delegation by OU lets
you set up departmental administrators
·
Delegation by Task
(common or custom) limits the responsibility given to the
“delegatee”
·
Delegation of Control
Wizard is launched through the Active Directory Users and Computers
tool
·
Delegated users or
groups are added to the object’s ACL
User Rights
·
Assigned through Group
Policies
·
Domain Controllers have
a default Group Policy Object (GPO) that is applied to each domain
controller, whereas Local Policies andUser Rights assignments apply
only to the computer where the policy is applied.
Replication
·
Replication to all
domain controllers occurs every 15 minutes by default but can be
forced through Active Directory Sites and Services.
·
When the domain
controller is expanded under Sites\Default-First-Site-Name\Servers,
select NTDS Settings. Right-click and select Replicate Now.
Publishing Shared Folders
·
Active Directory Users and Computers tool allows for
the publishing of shared folders or Distributed File System (DFS)
roots in the Active Directory
·
When creating a shared
folder the UNC must be specified in the Network path property field.
·
Keywords can be
associated with shared folders to allow users to easily locate
shares in Active Directory
Group Policy
·
Reduces Total Cost of
Ownership (TCO)
·
Implemented through
Group Policy Objects (GPOs) and applied to User and Computer
Configurations
·
Three possible settings
for policies include Not Configured, Enable and Disabled
Creating and Modifying Group Policies
·
Group policy settings
are refreshed throughout the network, on average every 90 minutes
·
Domain Controllers
refresh on average every 5 minutes
·
Refresh interval for
Domain Controllers can be modified through Group Policy settings
·
When deleting a GPO any
links are automatically dropped without warning
·
Filtering GPO’s allows
Group Policies to be applied to individual users rather than all
users and computers in an OU
GPO Tools
Gpotoole.exe
Utility
·
Used to check GPO’s
·
Used to view information
about specific GPO’s
·
Checks GPO consistency
·
Check GPO replication
Gpresult.exe
Utility
·
Used to determine if
problem is related to group policies
·
Analyzes group policies
that are applied for the current user or computer
·
Report displays which
policy settings are applied for the user
Design
Suggestions:
·
Limit the number of
users allowed to modify GPO’s to a minimum
·
Documentation
·
Keep it as simple as
possible
Active Directory Replication
·
Changes made to Active
Directory need to be propagated to all Domain Controllers
·
Uses a multiple-master
replication model whereby all domain controllers are equal
Intrasite Replication
·
Automatic replication
between domain controllers in the same site
·
Uses Remote Procedure
Calls (RPC) communication to control notification
o
Replication latency
is the delay between when a change is made to one domain controller
then replicated to other domain controllers.
o
Replication
convergence occurs after
replication has taken place, all domain controllers are up to date
and no new changes are to be sent.
Server Roles
You
REALLY need to follow these guidelines to not only implement a
good Active Directory Design, but to make is functional as well.
Make sure you know these roles inside and out.
Global
Catalog Servers
·
Global Catalog Servers
are used during the logon process and to locate directory
information
·
If the Global Catalog is
not available, users (excluding Domain Admins) will not be allowed
to log on to the network, only to the local system
·
When a user queries for
information about an object the query is resolved by Global Catalog
in the local domain rather than going out to each domain in the
forest
·
The first domain
controller created in a forest is automatically a Global Catalog
server
·
To provide fault
tolerance additional Global Catalog servers should be created and
available
·
Global Catalog servers
can be added through Active Directory Sites and Services tool
Operations Masters
·
Special roles assigned
to domain controllers as single master roles.
·
Single master role is
not permitted to occur simultaneously at different locations on the
network
·
Five operations master
roles are responsible for keeping track of and originating
replication and are divided forestwide and domainwide:
Forestwide
Note:
Both Schema and Domain naming should be the same domain controller
Schema
master
·
Only one schema master
in forest (can have standbys)
·
Controls schema updates
and modifications
·
Failure of the schema
master can go unnoticed until a change is made to the schema
·
If schema master role is
seized permanently the server must not be brought back online
without formatting it and reinstalling Windows 2000
Domain
naming master
·
Only one domain naming
master in forest (can have standbys)
·
Responsible for
controlling the addition or removal of domains to the forest
·
Failure of the domain
naming master can go unnoticed until a domain is added or removed
from the forest
·
If domain naming master
role is seized permanently the server must not be brought back
online without formatting it and reinstalling Windows 2000
Domainwide
Relative
ID master
·
Each domain will have
one relative ID master
·
Responsible for
management of relative ID’s (object security)
·
RID will be generated
for each domain object that includes the domain security ID (same
for all domain objects) and a unique relative ID
·
Responsible for
initiating the move when moving objects between domains
·
Failure of the relative
ID master can go unnoticed until an administrator attempts to create
domain objects and the domain runs out of available relative
identifiers.
·
If relative ID master
role is seized permanently the server must not be brought back
online without formatting it and reinstalling Windows 2000
Primary
Domain Controller PDC emulator
·
Each domain will have
only one PDC emulator
·
Provides support for
client systems other than Windows 2000
·
Receives preferential
replication of any password changes
·
If logon authentication
fails at any domain controller, the request is forwarded to the PDC
emulator
·
Acts as a Windows NT PDC
providing updates to any Windows NT BDCs during a migration to
Windows 2000 Active Directory
·
Failure of PDC emulator
can immediately affect network users.
·
If PDC emulator role is
seized permanently the server can be brought back online and
returned to the PDC emulator role
Infrastructure
master
·
Each domain will have
only one infrastructure master
·
Updates group or user references when supporting group
members from a different domain and group membership changes
·
If placed on a Global
Catalog server infrastructure master will not be able to do its job
properly because out-of-date data will not be detected, therefore
replication will not occur
·
Failure of the
infrastructure master can go unnoticed unless a number of changes
have been made.
·
If infrastructure master
is seized the server can be returned to the original infrastructure
master when brought back online
Role Assignments
·
First domain controller
is assigned the forestwide and domainwide operations master roles
·
As new domains are
created the first domain controller in the domain will automatically
be assigned the domainwide operations master roles
·
When promoting servers
to domain controllers the option of reassigning operations master
roles to different domain controllers is available
·
Reassigning forestwide
operations master roles cannot be reassigned to domain controllers
in different domains.
·
Assignment depends on
size and organization of domain
·
If only one domain
controller, it will be responsible for all other operations master
roles
·
If more than one domain
controller, the relative ID master and PDC emulator master roles
must be assigned to the same domain controller.
·
Unless only one domain
controller in domain, the infrastructure master role should not be
assigned to a Global Catalog server
·
Ntdsutil
is an interactive utility that can be used to transfer or seize
operations master roles
Sites
·
Set of domain
controllers connected through a reliable high-speed connection
·
A set of one or more IP
Subnetwork addresses
·
Controls how replication
is managed, logon traffic and DFS topology
Active Directory Sites
·
Domain controllers get
added to Default-First-Site-Name object which is automatically
created
·
Intersite replication
occurs between two or more sites over manually created links based
on a replication schedule
·
To minimize network
traffic data is compressed to about 10-15% of its volume before
intersite replication is transmitted
·
Active Directory domains
are defined by the network’s logical structure
·
Sites are based on the
network’s physical structure
·
Sites can include:
o
All Active Directory
domain controllers
o
Some of Active Directory
domain controllers
o
Domain controllers from
different Active Directory domains
Site Links
·
When Active Directory is
installed a default site link (DEFAULTIPSITELINK) is created
·
The transport used for
transferring data between sites:
o
Remote Procedure Call (RPC)
over TCP/IP [seen as IP] – required for File Replication
Services
o
Simple Mail Transfer
Protocol (SMTP) – used for schema partition, configuration
partition and Global Catalog replication. Does not support
replication between domain controllers in the same domain.
·
Cost value determines
which site link to use when multiple paths are available
o
Lower the cost, higher
the priority
o
Based on bandwidth and
priority
o
Default cost is 100
·
Scheduling controls when
replication occurs
o
Set through the link
schedule
o
Replicate every
property determines how long a connection waits before checking for
updates (15-10,080 minutes)
o
By default a link is
always available
Preferred bridgehead server
·
Preferred domain
controller for receiving intersite replication information and
updates other domain controllers
·
The first choice for
sending information to other sites
·
A firewall proxy server
is required to be a preferred bridgehead server
·
Multiple bridgehead
servers can be specified to add fault tolerance to the replication
design
Site Link Bridges
·
Site links are
transitive by default, therefore site link bridges are not need in a
fully routed IP network
·
The transitive link
feature can be disabled
·
Site link bridges should
model the network’s physical routing
·
A site link bridge is
defined by two or more site links
·
The cost of the site
link bridge is cumulative of the cost of each link
Site Licensing
·
License information is
replicated to a centralized database located on the site’s site
license server
·
The site license server
will be the first domain controller created for a site
|
