New Page 1

II. What is implementing and administering a Microsoft Windows 2000 Directory Services infrastructure?

A. Definitions: To understand the scope of this class and the 70-217 exam, first look at the individual aspects of the concepts.

1. Implementing: Putting into practical effect, or carrying out

2. Administering: Having charge of or simply managing

3. Directory: A database that contains information about objects and their attributes

a. Telephone book: A directory of names, numbers, and addresses

4. Directory Service: Provides for the searchability and accessibility of the data stored, as well as performs the necessary gathering, sorting, and organization of the data itself

5. Infrastructure: An underlying base or foundation for an organization or system

B. Features: Active Directory provides a number of features to the Windows 2000 organization and is the heart of the network itself.

1. Data store: Basically, the Directory Service features listed within our definitions. The data store keeps the objects of AD, including:

a. Shared resources such as directories and printers

b. User accounts and their associated group memberships

c. Computer accounts and locations, including sites and replication information

d. Application-specific data for directory-aware Windows 2000 applications such as Microsoft Exchange 2000

2. Schema: Basically, a set of rules used to govern the type and properties of the objects stored within the data store. The schema has to be the same throughout the entire organization and protects unauthorized changes to ensure data integrity.

3. Global catalog: Service that allows information to be stored and searched for on a forest-wide level. Active Directory domains are automatically connected via trust relationships, but the entire data store is not shared between the domains. Rather, only the information published to the global catalog server is available for searching on a forest-wide basis. Anything not published to the global catalog is still available to users from other domains, but those users will need to know what they are looking for and where to find it before they can gain access.

4. Replication service: All information within a domain has to be automatically shared between all AD servers within a domain. This process of ensuring all servers have the same information is called replication. Additionally, all global catalog servers throughout the domain have to be configured to support replication between each other.

5. Security subsystem: System that provides for secure logon and user authentication

6. Interoperability: The ability to join multiple domains together to form trees, and trees together to form forests. Additionally, the ability to share data between other directory services and Directory Service dependant applications.

7. Administrative control: Scaleable administrative control over all aspects of the forest, domains, and sites. Administrative access can range from granular control of individual objects to global control of all objects within the forest (through the use of policy objects).

C. The role of Directory Service

The Directory Service is one of the key components to any interconnected Windows 2000 based organization. It is necessary at an administrative as well as a security level, and serves as the primary glue which holds the organization together. That is why this test uses the word Ainfrastructure@ in its description

1. Directory Service within NT

a. Security Accounts Manager (SAM) stored usernames and passwords, as well as general information about each user, but information was not sharable or searchable. Additionally, the SAM was stored in the registry of all domain controllers, and was only modifiable on the primary domain controller. Due to memory limitation in using the registry to store the database, NT domains could not effectively scale past 40,000 users. (When a large number of groups and computer accounts also existed within the same domain, the maximum number was drastically reduced.)

b. Services such as DNS, DHCP, WINS, and File and Print Sharing were independent and not easily interoperable.

2. Advantages of Active Directory over NT

a. Interoperability of Directory Services: With Active Directory, the services within the organization can easily be integrated to provide for ease of use and decreased administrative overhead.

b. Replication of directory information: With Windows 2000 and the Active Directory, objects can be modified from any domain controller, and those changes are then replicated throughout the rest of the domain. (There are a few objects that can only be added or modified from specific operation masters, but those issues will be covered later in this text.)

D. Features of the Global Directory Service: Defined as being a Directory Service scalable to the enterprise level, compatible with Internet and industry standards, and fully integrated with the operating system

1. TCP/IP-based system with support for and integration with:

a. Dynamic Domain Name Service (DDNS)

b. Dynamic Host Configuration Protocol (DHCP)

c. Lightweight Directory Access Protocol (LDAP)

2. ADSI and SSPI

3. Consistent Microsoft Management Console (MMC) management from anywhere in the organization. See Figure 1-1 on page 11.

4. Customization and control of the user environment

5. Directory-enabled applications and easier deployment and configuration

a. Central directory for all applications within the organization, user authentication done by the Active Directory Controller (ADC) for all applications, including Exchange and SQL.

6. Integration of security services based on the industry standard Kerberos protocol

E. Active Directory physical structure

1. Sites: An Active Directory domain can be physically broken down into sites. Each site must have one or more unique IP subnets, and is created to optimize one of two aspects within the domain:

a. Authentication optimization

b. Directory replication optimization

2. Active Directory logical structure

Domains are the core of Active Directory and the only logical structure required. However, whenever implementing multiple domains together to form a large Active Directory organization, there are a number of additional issues and advantages presented at three separate levels:

a. Trees and forests

i. Trees are a group of one or more domains sharing a common namespace.

ii. A forest is a group of one or more trees, which do not have to share a common namespace. All organizations have one forest, regardless of the number of trees and domains.

b. Trusts

By default, all trusts within an Active Directory domain are transitive two-way trusts. However, individually configured one-way trusts (NT style) are still supported for legacy connectivity issues.

i. Between individual domains

ii. Between trees

iii. Shortcut trusts

c. Domains: Domains are the core of Active Directory. By default, all objects and users exist within a single domain. As more domains are added to the organization, there is a definite increase in administrative overhead involved.

i. Multiple domains groups sharing the same hierarchical namespace are called trees. Figure 1-2 on page 15 shows the hierarchical structure of a domain tree.

III. Overview of Exam 70-217

The 70-217 exam is focused on the implementation of the Active Directory Services and their configuration within an organization. The Microsoft Exam 70-221 is intended to test the student=s ability to design an effective Directory Services infrastructure. In many ways, Exam 70-217 contains a tremendous amount of prerequisite knowledge for the 70-221 exam. Additionally, some of the core concepts involved in designing Directory Services architecture have to be addressed during this class for the students to fully understand the features and administration involved with an Active Directory domain.

A. Installing, configuring, and troubleshooting Active Directory

1. Sites and subnets

2. Special domain controller roles

a. Global Catalog server

A domain controller that contains a partial replica of every domain in the Active Directory. These replicas include only some of each object=s attributes. See Figure 1-4 on page 18.

b. Operations masters

i. Schema master

ii. Domain-naming master

iii. Infrastructure master

iv. Relative ID master (RID)

v. PDC emulator

3. The organizational unit structure

Container objects in the Active Directory that can be created within a domain for the purpose of creating administrative boundaries. They can contain:

_ Users

_ Groups

_ Computers

_ Printers

_ Other organizational units

See Figure 1-5 on page 22.

4. Back up and restore Active Directory

a. Authoritative restore

b. System failure recovery

B. Installing, configuring, managing, monitoring, and troubleshooting DNS for Active Directory

1. Use the Computer Management Console, shown in Figure 1-5, to manage Windows 2000 DNS

2. Zone configuration

3. Managing, monitoring, and troubleshooting DNS

C. Installing, configuring, managing, monitoring, optimizing, and troubleshooting change and configuration management

1. Group Policy objects

2. Delegation of control

3. Group Policy inheritance

a. Blocking inheritance

b. Enforcing inheritance

D. Implementing and troubleshooting Group Policy

1. Using Group Policy to manage the user environment

2. Managing software via Group Policy

E. Using Remote Installation Services (RIS)

1. Installing and configuring RIS

2. Troubleshooting RIS

3. RIS security issues

F. Managing, monitoring, and optimizing the components of Active Directory

1. Active Directory objects

2. Active Directory performance

3. Active Directory replication

G. Configuring, managing, monitoring, and troubleshooting Active Directory security solutions

IV. What this class will cover

A. Hands-on introduction to Windows 2000 and Active Directory management

This class will explore the concepts mentioned above and reinforce those explanations with hands-on experience. Throughout this class, we will be focusing on a number of steps to ensure proper student understanding and class participation.

1. Build our own company and AD network

2. Customize our design to meet the business needs of the company we are going to be building

3. Use labs and instructor-led discussions to translate knowledge presented in the book and during the class to real-world experience and experience

B. Knowledge necessary to pass the 70-217 exam

The specific knowledge necessary to meet the core requirements of the 70-217 exam will be presented to the students in the class and the accompanying student Study Guide. While every possible question presented on the 70-217 exam will not be covered, the necessary hands-on experience and product knowledge needed for the students to discover the correct answers during the test is emphasized as much as possible. However, at no time will specific answers or their questions be presented in the outline or in the book. Sharing testing information of any kind is a violation of the certification agreement and can constitute a provision necessary for the removal of any certification gained by all parties involved.

C. Knowledge necessary to manage Windows 2000 Active Directory domains in the real world

The value of the MCSE and other certifications to an individual is only as good as the quality of the knowledge it represents. In situations in which a student is given just enough information to pass the exam, the value of all certified individuals decreases. The Windows 2000 exams have been rewritten to ensure a more difficult and accurate testing environment, which means fewer Apaper@ MCSEs will be entering the job market. However, all instructors should still consider it their responsibility to ensure that their students are just as much ready for the real world as for the examination process.

V. Prerequisite knowledge review

A. Microsoft networking concepts

1. Peer-to-peer and client/server networking models, and hands-on experience with both

2. Networking architectures and LAN and WAN topologies

a. STAR

b. BUS

c. MESHED

d. TOKEN

3. Networking hardware and software

a. Client operating system software

i. Windows 95/98

ii. Windows NT Workstation

iii. Windows 2000 Professional

b. Networking hardware and concepts

i. Hubs

ii. Switches and bridges

iii. Routers

c. Internetworking technologies used in WAN applications

i. Dial-up

ii. Frame-relay

iii. Point-to-point

iv. ATM

v. DSL

vi. ISDN

4. OSI and DOD networking models

5. TCP/IP protocol stack

a. Subnetting

b. DHCP

c. Basic DNS and WINS

d. Supernetting

e. Troubleshooting

i. PING

ii. Traceroute

iii. IPConfig

B. Windows 2000 concepts

In general, the knowledge required for Exams 70-210 and 70-215 needs to mastered before this class and its topics are undertaken. Successful students in this class should expect to have an understanding of:

1. Trust relationships: transitive and traditional

2. Hierarchical domain structure