name = study_guide

exam = 70-219

I passed 219 last week with good score. Got four cases: a.datum, toys, ski and research.

39 questions (47 items).

Material used: (you don't need a lab or hands on for this one.)

--- This site. Thanks to all contributors!!!

--- Transcender. Gives you the area to focus on with good explanations. Wording and

form are very similar to real test. But don't expect you get same cases.

--- Sybex. Just read it in half way and gave up.

--- Resource Kit online books. You can find all the answers what you want.

--- MS TechNet. Up to date materials.

--- MS online seminars. Just a beginning of your study.

--- MOC 1561. Get the big picture but not enough.

--- Cramsession study guide. Not so good as it used to be. At least this one.

My advice:

--- read the questions first (click on next you will see questions), analyze the possible

answers and write down the question area and what information you will expect the case

will give you. I asked two scratch pads for notes. Very helpful. Read the question briefly

and quickly (Use ALL tab). Read your notes about questions again. Read ALL tab again

and pay attention to the area related to your notes. If you find the key sentence to answer

one or more questions, go back to questions (click on questions button) and select your

answer. Draw the forest. If you draw it correctly, you will be able to answer 40% of the

questions.

--- you can answer quit a few questions just by reading the questions and possible

answers.

--- skip LAN configuration and client sections. Waste time to read it. Read it only if you

have the question related to it, such as increase client security (see if clients are able to

run w2kpro).

--- always draw the location diagram. You need it to design the sites.

--- when you use the following study notes which I think covers 95% area of my four

cases (yours may be different), please pay extra time to interoperation of DNS and BIND.

I got 6 questions but missed 3-4 I guess (according to my score). So it's the only

weakness in my study.

--- Biz factors can be shifting between AD components depending on cases.

Any comments are appreciated. I'm not English speaker. So forgive my grammar and

spelling mistakes.

Good Luck

---------------------------------------------------------------

Study notes

---------------------------------------------------------------

When need a new forest, a new tree, or a new domain

Forest:

Different common change policies

Different schema modifications. To change schema, you must be a

member of schema administrators group.

Active Directory integrated applications may need a new schema

No transitive trusts (full trust model)

Completely separate administration,

Separate Schema and Enterprise Administrators group

Separate global catalog

ISP who maintains an AD on behalf of other companies.

If integrate one network into another one, only one forest is needed (two

trees)

Completely separated internal and external networks

Don't want someone else get ANY access (permissions) to the forest

Tree:

Two separate entities, operating independent – two trees

Share a common schema, global catalog, and configuration but use

different namespace.

Domain:

Different security policies (password policy, PKI etc.)

Complete administrative autonomy

Use SMTP to replication between sites, when WAN is not reliable.

Share a common schema, global catalog, configuration, namespace but

admin separately

Use empty domain: Share a common schema, global catalog,

configuration, namespace but admin separately, or control schema master and domain

naming master

If you have a.b.com and c.b.com and want user can log on use

[email protected] you must create root domain b.com (empty)

----------------------------------------------------------

A new domain could be

Root domain of a New forest

Root domain of the tree

Child domain of a domain

------------------------------------------------------------

When need a new site

Replication can be scheduled and configured on a cost base.

WAN speed <= T1 (1.544mbps) and traffic

T3 is considered as high-speed connection within a site.

---------------------------------------------------

Trust relationship

Default Kerberos5

The path of Kerberos5 (usera.b.c.com wants accessing printera.d.c.com, what's

the default path)

Shortcut trust within forest

Explicit one- or two-way trust between forests.

----------------------------------------------------

Delegation admin control

Create an OU, place objects into OU, create a group, place users in the group, run

the Delegation of Control Wizard on the OU and grant the group the control of the OU.

Or manually modify the DACLs of the OU to grant the group the control of the

OU.

---------------------------------------------------

FSMO, Operation master roles or server service, all FSMO are DCs

The first DC in the root domain carries all five FSMO.

The first DC in the child domain carries all three FSMO.

One per forest: Schema Master, Domain Naming Master

One per Domain: RID Master, PDC emulator, Infrastructure Master

One per site: Global Catalog server, DNS server is recommended

OR

Schema Master: one per forest

Domain Naming Master: one per forest

Schema Master and Domain Naming Master must be on the same DC that

must be a GC.

Domain Naming Master and Global Catalog Server must be on the same

DC.

RID Master: one per domain

PDC emulator: one per domain

Infrastructure Master: one per domain,

Should not on GC but in the same site. If Infrastructure Master and GC are

on same DC, references to objects in other domain will not be updated in the domain to

which the IM belongs.

Global Catalog server (GC): could be one or more per site, for logon within site in

native mode to reduce WAN traffic

DNS server: one or more per site, for logon within site in native mode

Avoid a single point of failure: at least two DC per domain (and per site if the

domain span multiple sites) , each one with a GC

------------------------------------------------------------

The factors on AD namespace

Internet registered name, identical to internal DNS or not

Operating dependency of entities,

---------------------------------------------------------

Biz Factors VS Forest, site, domain, OU design

Forest:

Acquisition/purchase

Secure internal network, separate it from external network

Using Exchange 2000 server or other AD integrated applications

Schema requirements

Site:

Existing and future WAN speed, >T1, logon

Steaming audio/video

Available bandwidth

WAN traffic

Bridgehead servers

DC placement: for best performance, at least one DC per site

Domain:

Geographic location, international

Security requirements (password policy, public key policy)

Delegation of control to ITs, decentralized administration

Need to control domain replication

The demands of corporate executives

Definition of AD namespace (this one could be a factor on forest in some

circumstances)

OU:

Granular delegation of admin

Grouping employees for administration, classification of employees

------------------------------------------------------------------

Structure of Management and Operation -- (de-) centralized

Make decision -- management

Implement decision -- operation

--------------------------------------------------------------------

Replication between sites

Site links:

RPC over IP:

Within or between sites, within or between domains

Can be scheduled

Can replicate domain directory partition

SMTP over IP:

Only between sites that belong to different domains

Is the best choice when WAN connection is unreliable

Must install SMTP on both domain controllers, and an enterprise

CA

Only replicate global catalog, schema and configuration partitions,

no domain directory partitions

Create twice as much traffic as RPC.

Link properties:

Cost: default is 100

Schedule: different site links should have a common time window, but off

peak-time is more important

Replication interval: not a big deal.

Change notification:

Enabled within site by default, can be manually enabled between sites.

Tool: ADSI Edit MMC

Increase WAN traffic

------------------------------------------------------------

Intra-site and inter-site Replication process:

Notice process (intra-site).

Pull process (intra-site).

Send process between bridgehead servers.

No pull process between bridgehead servers.

By default, no notice process between bridgehead servers.

-----------------------------------------------------------

Reduce impact of WAN replication:

Schedule replication between sites

Upgrade WAN link speed

------------------------------------------------------------

Reduce WAN traffic:

Configure each location as a site

Schedule replication between sites

Place a Global Catalog server at each location, only in native mode, to check

Universal group membership. Universal group membership is only replicated to GC.

Place a DC at each location in mixed mode

SMTP creates more traffic

--------------------------------------------------------------

On site upgrade sequence of necessary actions

Starting with the domain that will be the forest root, normally is the account

domain in head office.

Synchronize all DCs in the domain

Take one BDC offline

Install w2 server on PDC, it automatically run AD install wizard

Use AD install wizard to create a DC for new domain, choose “DC for a new

domain” (following Domain >> Tree >> Forest path)

Use AD install wizard to create a new domain tree on the “Create tree or child’

page

Use AD install wizard to create a new domain forest on the “Create or Join

Forest” page

Verify user access, replication with BDCs and trust relationship operation with

resource domains.

Install w2 server on BDCs

Use AD install wizard to create additional DCs for the domain on the “DC type”

To merge resource domain into root domain, first upgrade it as a child domain,

then move all objects to the root domain by MOVETREE (to preserve the SID, the root

domain must be converted to native mode before moving objects), demote child domain

controllers to member servers of the root domain, promote the root domain member

servers to peer domain controllers. DCPROMO is the tool.

To join additional NT domains to the tree, choose “DC for a new domain”,

“Create a new child domain in an existing domain tree”

 

-----------------------------------------------------------

GPO levels

Site

Must be a member of Enterprise admin to apply GPO on site

Object access audit at locations that have low speed WAN connections

Policies enforced per site (usually per location)

Domain

Domain wide software installation

Password policy

Accounts policy

Kerberos policy

OU

Group wide software install

Group wide computer configurations

Group wide logon/logoff script

Software available for installation by IT personnel.

OU GPO settings are ignored during domain logon.

Inherit

Child domains do not inherit Group policy settings from their parent

domains.

-----------------------------------------------------------

GPO orders

Local computer -- Site -- Domain -- OU -- OU…, if conflicts, OU wins

“Disable “disable XXX”” means you can use XXX.

But OU GPO settings are ignored when logon. So password policies only work on

Domain.

NO OVERRIDE wins BLOCK POLICY INHERITANCE

-------------------------------------------------------------------

Default policy for domains, as well as a default policy for domain controllers

There is a default policy for domains, as well as a default policy for domain

controllers. The domain controller policy has precedence over the domain policy. For

example, if you want to grant the Add Workstation to Domain privilege to a user, you

modify the default domain controller policy rather than the default domain policy.

-------------------------------------------------------------------

DNS

Configure forwarding

Enable forwarding on internal root DNS: point to external DNS server

Disable recursion on internal root DNS: don't want exchange internal and

external information.

Need of maintain existing UNIX DNS server

Upgrade it to support W2K

Configure it with proper zones. (I think this is the place I missed in test)

AD-integrated DNS server contains only the DNS information for the domain in

which the server resides. If unable to resolve, then start "walking in the tree " -- iterative

query.

UNIX

BIND 8.1.2 or later works with AD, supports both SRV resource records

and dynamic updates. But only 8.2 or later supports incremental zone transfers.

Doesn't support fault tolerance and secure dynamic updates

Fully integrated with AD means:

Support dynamic updates.

Support SRV resource records. The SRV record is used to map the name

of a service to the DNS computer name of a server that offers that service. For AD DC

and clients, SRV are used to determine IP address of DC.

Requirements for support AD

Supporting SRV resource records is required

Supporting dynamic updates is recommended but not required

DNS zone

AD-integrated zone:

Fault tolerant: every DC running DNS holds a read/write copy

Secure dynamic update with DACLs

Normally used for internal AD network

Only installed on DCs

Standard primary zone:

Dynamic update, but not secured by DACLs

No fault tolerant: only one DNS server holds the master copy

Normally used for external web server

Can be installed on any servers

Standard secondary zone:

Can be installed on any servers

Read only

If need of fault tolerance and secure updates, then AD-integrated zone is

only choice.

------------------------------------------------------------------

Using Groups

All kind of groups can be assigned with permissions

Best practice: UG>>DG>>DL<<Permissions

Universal group

Only in native mode

Can be used anywhere in the forest

Member can be users, global or universal groups from anywhere in the

forest

Can have access to anywhere in the forest

Normally use one universal group and add it into multiple domain local

groups.

Domain Global Group

Members can be only users and global groups from the same domain

Can be used in anywhere in the forest

Can have access to anywhere in the forest

Domain local groups

Can be used only in its own domain

Members can be users, global or universal from anywhere, but other

domain local groups from the same domain.

In native mode, can be used to grant access to resources on any computer

in local domain

In mixed mode, domain local groups must be on domain controllers only,

can be used to grant access to resources on any computer in local domain

Local group

Can be used only in that computer (or DCs).

-------------------------------------------------------------

Protocols and smart cards

Kerberos5 – supports username/password or local smart card logon.

EAP-xxx -- used for smart card remote authentication in both native and mixed

mode.

NTLM – used in a mixed mode.

ANI – used to remote authentication based on calling number. To enable it, must

enable un-authentication access on RAS.

-----------------------------------------------------------------

Top level OUs

Geographic locations, more stable than departments

Departments or divisions

Roles or tasks

------------------------------------------------------------------

Upgrade strategies

Upgrade the account domains in place first

Then upgrade the resource domains in place

Upgrade all clients to W2K professional

Optional: You may move all objects in the resource domains to OUs in the

account domains. Then eliminate the resource domain.

Upgrade the rest BDCs at the very last.

--------------------------------------------------------------------

Benefits from upgrading to AD

Increase security for client computers, such as NTFS, mandatory authentication,

file level encryption.

Increased flexibility in the control of network resources

Decreased total cost of ownership

Kerberos authentication

Ad-based password changes

Universal groups (only in native mode)

OUs

Netlogon synchronization

Ad-integrated DNS zones

Dynamic DNS updates

Secure dynamic updates

Domain local groups

Multimaster replication between win2K DCs

GPOs

NTLM authentication (only in mixed mode)

------------------------------------------------------------

Merge a new network into an existing AD

As a new forest

Need a new schema

As a new tree

Separated entities, deferent domain name, preserve existing name

As a new domain

Autonomy administration

Domain level policy

As a new OU

Merging two separated AD:

Removing and reinstalling AD on all domain controllers that will be

merged

Establishing these domain controllers as a new tree, a new domain or a

new OU.

------------------------------------------------------------

Moving objects between domains

Always use OU as container to move objects between trees or domains.

Create an OU, place objects into it, use MOVETREE to move it to new domain,

or move objects one by one.

Must use MOVETREE, cannot use AD Users and Computers

Move must be initiated from the source domain RID master first then move to the

new domain, otherwise “movetree failed”

Only Universal Group can be moved between domain. Global Group must be

converted to Universal before moving.

Move an account does not move the group memberships.

-------------------------------------------------------------------

Schema Administrators

A group that exists only in the root domain of an Active Directory forest of domains. It is

a universal group if the domain is in native-mode, a global group if the domain is in

mixed-mode. The group is authorized to make schema changes in Active Directory. By

default, the only member of the group is the Administrator account for the forest root

domain.

Enterprise Administrators

A group that exists only in the root domain of an Active Directory forest of domains. It is

a universal group if the domain is in native-mode, a global group if the domain is in

mixed-mode. The group is authorized to make forest-wide changes in Active Directory,

such as adding child domains. By default, the only member of the group is the

Administrator account for the forest root domain.

Domain Administrators

A global group whose members are authorized to administer the domain. By default, the

Domain Admins group is a member of the Administrators group on all computers that

have joined a domain, including the domain contollers.

Domain Admins is the default owner of any object that is created in the domain’s Active

Directory by any member of the group. If members of the group create other objects,

such as files, the default owner is the Administrators group.

Administrators

A built-in group. After the initial installation of the operating system, the only member of

the group is the Administrator account. When a computer joins a domain, the Domain

Admins group is added to the Administrators group. When a server becomes a domain

controller, the Enterprise Admins group also is added to the Administrators group.

The Administrators group has built-in capabilities that give its members full control over

the system. The group is the default owner of any object that is created by a member of

the group.

-----------------------------------------------------------------------

Default Permissions on FSMO:

Schema master: The Change Schema Master permission is granted by default to

the Schema Admins group.

Domain naming master: The Change Domain Master permission is granted by

default to the Enterprise Admins group.

RID master: The Change Rid Master permission is granted by default to the

Domain Admins group.

Primary domain controller emulator: The Change PDC permission is granted by

default to the Domain Admins group.

Infrastructure master: The Change Infrastructure Master permission is granted by

default to the Domain Admins group.

-------------------------------------------------------------------

DOMMAP, NETDOM, MOVETREE, COPY, MOVE, MOVETREE

DOMMAP: check replication topology, relationship between domains and sites.

NETDOM: join a computer to domain, establish and verify trust relationship

between computers.

NETDOM: manage computer accounts and domain trusts.

MOVETREE

COPY (AD Users and Computers): clone an object within the same domain.

MOVE (AD Users and Computers): move objects within the same domain.

MOVETREE: move objects between domains