Top Sponsors
TestKing | CCPrep | Real Exams | Actual-Exams | SmartCertify Direct | CertifySky | Cheat-Test | Need a fast, professional, low cost ecommerce site using the latest ASP.NET? Click here | Exam-Zone:100% Pass Guarantee, At Lowest Cost! | LearnKey Direct = Free Certification Demo's!!! |


Home
Free Practice
Tests!!!
Free Question
of the Day!!!
Free Study
Guides!!!
Tell your friends
about us!!!
Make Some
Money!!!
Forums
Classifieds
TopSites
Check Your
Networkdesigner
Email
Free Computer
Training

Dave’s Notes on Exam 70-219
 Designing a Microsoft Windows 2000
Directory Services Infrastructure

by Dave Lilligren from Dave's Help Page for Win2k Certification! for Networkdesigner.net

This exam of 40 "items" is a long one, as evidenced by the nearly 4 hours allotted to complete it. What makes it so lengthy is its format, which is based upon case studies, each with several questions. It takes quite a bit of time to digest the various case studies, as they are quite involved. Fortunately, you are able to refer back to the studies during the questions.

The passing score is pretty low – 613. You will probably find some seemingly contradictory questions, and some that are downright hard. But, you should find enough clear and easier-to-follow questions to help you pass. I did, as my 783 score reflects. I was relieved to see that almost all of the information in the exam was covered by the MOC, Course 1561.

Rather than get too into detail regarding the exam itself (something called a "Non-Disclosure Agreement" precludes me from doing so anyway), I would like to focus on the principles and important points of designing a Directory Services infrastructure. If you have a grasp of these points, then any case study thrown at you in any format should be manageable. A final point on the case studies, though: They actually were little bit fun. You found yourself role playing "Joe (or Jane) Consultant." It was kind of real-world-like, in a way. Not as boring as some of those other exams. Well, on to my notes!

Designing an Active Directory Naming Strategy

· Remember the difference between Active Directory names and DNS names. They appear identical, but AD names objects and DNS has resource records.

· Know how to interoperate AD with BIND (Unix DNS servers). BIND version 8.2.1 is the minimum recommended version, because it supports SRV records, dynamic updates, and incremental zone transfers. So, if you need to retain the Unix DNS servers, and you’re running 8.2.1 or later, you won’t need to upgrade them.

· Remember that the domain on which you install AD in your enterprise becomes the root domain of the forest and its tree (trees are based on a contiguous DNS namespace).

· There are basically three ways to determine a DNS naming strategy:

o Use a delegated subdomain name (e.g., corp.moron.com for the registered moron.com DNS name)

o Use a single DNS domain for both the public and private networks (e.g., moron.com used both internally and externally). This does require additional administration, especially trying to keep the two separate in your design!

o Use a different DNS name for the public and private networks (e.g., moron.com and moronic.com). This makes the division of private and public resources easy.

Designing Active Directory to Delegate Administrative Authority

· Know how the company is (or desires to be) organized. Is IT centralized? If you centralize IT, but decentralize management, you can use a single domain model, with OU’s for administrative tasks.

· You can base your hierarchy completely on location, organization, or function. Just be consistent throughout.

· If you mix OU’s with domains, you can make your hierarchy by location (e.g., florida.moron.com) with organizational OU’s (e.g., sales); or you can do it by organization (e.g., marketing.moron.com) with location OU’s (e.g., Chicago).

· When it comes to delegating administrative authority, you can do it either at the site, domain or OU level.

Designing a Schema Policy

· Anything changes made to the schema affects the entire forest! This will affect network traffic until the change is replicated throughout the enterprise.

· Only members of the Schema Admins group can make changes.

· Often times, a directory-enabled application will modify the schema. A classic example would be Exchange 2000. Here’s the catch, though. These apps are installed in two phases, with the first one modifying the schema. Guess who can’t do this? Anybody NOT in the Schema Admins group. KNOW THIS!

Designing Active Directory to Support Group Policy

· Know the different levels at which you can apply group policy, and why you would use each

o At the site level, you would want to apply a GPO that utilizes a lot of traffic, such as a software installation.

o There are some GPOs that can only be applied at the domain level, such as password and account policy settings.

o Most GPOs should be applied at the OU level, because it gives you so much more flexibility.

· Know how to filter GPOs. For example, if you are administrator, and you just restricted access to changing the registry, you’d want to exclude yourself, right? So, you "filter" by "denying" the policy to the administrators group.

· Understand how GPOs are applied. The lowest-level OU gets applied last. Higher-level OU GPOs are inherited, unless "blocked." Guess how you override "blocking"… With the "no override" box checked. Might not make sense, but that’s how you do it!

Designing an Active Directory Domain

· Make sure you know the difference between Universal groups, Global groups, and Domain local groups!

· Know how to use different levels of OU’s. Upper level OU’s should be based on things that don’t change in the organization (such as a geographical location). Use the lower-level OU’s to delegate authority over objects, such as users or printers.

Designing a Multiple-Domain Structure

· Rule one – if there are no compelling reasons to use a multiple-domain structure, use a single domain. Unlike NT 4.0, you don’t increase capacity with more domains. A single domain can handle over 4 billion objects.

· But you would use a multiple-domain model in the following situations:

o Different domain-level polices (e.g., password and account policies)

o Decentralized administration

o Reduce replication traffic (keep domain controllers from replicating over a WAN link).

· Know how trusts are used in Windows 2000. Generally, the default trusts will be adequate. Within a forest, all trusts are two-way and transitive. You might want to save time by creating a short-cut trust. You would only an NT 4.0-type trust (one-way, explicit) when you are dealing with resources OUTSIDE of your forest, such as when you are partnering with another corporation.

· When using multiple domains that are on the same level administratively, you might want to create a blank root domain (e.g., moron.com) and put all your accounts into the subdomains (e.g., ura.moron.com and ima.moron.com).

· Know that multiple trees are used when the namespace is not contiguous (e.g., moron.com and imbecile.com).

· Only use separate forests when you are dealing with different corporations or you want to maintain separate schema’s. But you will have to set up external, explicit trusts in these cases.

Designing an Active Directory Site Topology

· A "site" in AD is a location that has well-connected computers (at least 10 Mbps). They play a key role in replication.

· In a domain with multiple sites, you will want at least one domain controller in each site.

· If bandwidth availability is low between sites, you will want to schedule replication to occur at off-peak hours.

· The connection between two sites is called a "site link." If multiple site links exists, the best path (lowest cost) is chosen.

· If you have more than two sites to connect, you can use what is called a "site link bridge." For example, Chicago is connected to Minneapolis, which is connected to Seattle. You get to Seattle from Chicago via the site link bridge through Minneapolis. Similar in a sense to routing.

· At each site, you will find at least one "bridgehead server." The KCC (knowledge consistency checker – kind of like a routing protocol) builds a topology of the network and usually automatically designates this server. But, you can manually configure it as well.

· When replicating between sites, understand the two IP protocols that can be used: SMTP and RCP over IP. SMTP is nice because it does not establish a TCP session, so updates can be sent later. BUT (and a big one at that), you CAN’T use SMTP for intra-domain replication. You can only use SMTP for schema and global catalog replication. Most of the time, then you will use RCP.

· At this point, you’ll also need to understand Operations Masters. The Schema Master and the Domain Naming Master only exist in the root domain of the forest. One PDC Emulator Master, one RID Master, and one Infrastructure Master exist in each domain. You MUST know this. Global Catalog servers should be in each site. The Infrastructure Master should not be a Global Catalog server, because inconsistencies in the infrastructure would go undetected because all objects are on the global catalog server.

Dave’s Final Thoughts

If you’ve passed the four core exams by this point, you shouldn’t fret too hard about this exam. If you understand all that I’ve written about above, you should be able to pass your first time. They give you plenty of time. I only used half of the time, and I’m not a fast exam taker. Relax, and have fun with this one!

by Dave Lilligren from Dave's Help Page for Win2k Certification! for Networkdesigner.net
Sponsors



  • TestKing
  • Real Exams
  • Actual-Exams
  • LearnKey Direct=Free Demo!!!
  • SmartCertify Direct
  • CertifySky
  • Cheat-Test
  • Exam-Zone
  • CCPrep
 
| ADVERTISE | PRIVACY POLICY AND TERMS  

©1999-2002 Network Designer

Free Practice Tests " Advertisers " " Terms " Privacy Policy

Disclaimer
The material on this web site is not sponsored by, endorsed by or affiliated with Cisco Systems, Inc. CISCO® is a registered trademark of Cisco Systems, Inc.; CCNA™, CCDA™, CCNP™, CCDP™, CCIE™, CISCO CERTIFIED NETWORK ASSOCIATE™, CISCO CERTIFIED DESIGN ASSOCIATE™, CISCO CERTIFIED NETWORK PROFESSIONAL™, CISCO CERTIFIED DESIGN PROFESSIONAL™, CISCO CERTIFIED INTERNETWORK EXPERT™ are distinctive trademarks used by Cisco to describe its certifications and examinations in the United States and certain other countries. All other trademarks are trademarks of their respective owners.


Questions, comments? . Copyright © 1999, 2000, 2001  Network Designer.  All rights reserved. study guides, practice tests, and/or material is copyright material and may not be redistributed in any way unless otherwise stated and is not sponsored by, endorsed by or affiliated with Cisco© Systems, Inc or any other company.   All trademarks are trademarks of their respective owners.

© Network Designer - networkdesigner.net