name = study_guide
exam = 70-219
I passed 219 last week with good score. Got four cases: a.datum, toys, ski and research.
39 questions (47 items).
Material used: (you don't need a lab or hands on for this one.)
--- This site. Thanks to all contributors!!!
--- Transcender. Gives you the area to focus on with good explanations. Wording and
form are very similar to real test. But don't expect you get same cases.
--- Sybex. Just read it in half way and gave up.
--- Resource Kit online books. You can find all the answers what you want.
--- MS TechNet. Up to date materials.
--- MS online seminars. Just a beginning of your study.
--- MOC 1561. Get the big picture but not enough.
--- Cramsession study guide. Not so good as it used to be. At least this one.
My advice:
--- read the questions first (click on next you will see questions), analyze the possible
answers and write down the question area and what information you will expect the case
will give you. I asked two scratch pads for notes. Very helpful. Read the question briefly
and quickly (Use ALL tab). Read your notes about questions again. Read ALL tab again
and pay attention to the area related to your notes. If you find the key sentence to answer
one or more questions, go back to questions (click on questions button) and select your
answer. Draw the forest. If you draw it correctly, you will be able to answer 40% of the
questions.
--- you can answer quit a few questions just by reading the questions and possible
answers.
--- skip LAN configuration and client sections. Waste time to read it. Read it only if you
have the question related to it, such as increase client security (see if clients are able to
run w2kpro).
--- always draw the location diagram. You need it to design the sites.
--- when you use the following study notes which I think covers 95% area of my four
cases (yours may be different), please pay extra time to interoperation of DNS and BIND.
I got 6 questions but missed 3-4 I guess (according to my score). So it's the only
weakness in my study.
--- Biz factors can be shifting between AD components depending on cases.
Any comments are appreciated. I'm not English speaker. So forgive my grammar and
spelling mistakes.
Good Luck
---------------------------------------------------------------
Study notes
---------------------------------------------------------------
When need a new forest, a new tree, or a new domain
Forest:
Different common change policies
Different schema modifications. To change schema, you must be a
member of schema administrators group.
Active Directory integrated applications may need a new schema
No transitive trusts (full trust model)
Completely separate administration,
Separate Schema and Enterprise Administrators group
Separate global catalog
ISP who maintains an AD on behalf of other companies.
If integrate one network into another one, only one forest is needed (two
trees)
Completely separated internal and external networks
Don't want someone else get ANY access (permissions) to the forest
Tree:
Two separate entities, operating independent – two trees
Share a common schema, global catalog, and configuration but use
different namespace.
Domain:
Different security policies (password policy, PKI etc.)
Complete administrative autonomy
Use SMTP to replication between sites, when WAN is not reliable.
Share a common schema, global catalog, configuration, namespace but
admin separately
Use empty domain: Share a common schema, global catalog,
configuration, namespace but admin separately, or control schema master and domain
naming master
If you have a.b.com and c.b.com and want user can log on use
[email protected] you must create root domain b.com (empty)
----------------------------------------------------------
A new domain could be
Root domain of a New forest
Root domain of the tree
Child domain of a domain
------------------------------------------------------------
When need a new site
Replication can be scheduled and configured on a cost base.
WAN speed <= T1 (1.544mbps) and traffic
T3 is considered as high-speed connection within a site.
---------------------------------------------------
Trust relationship
Default Kerberos5
The path of Kerberos5 (usera.b.c.com wants accessing printera.d.c.com, what's
the default path)
Shortcut trust within forest
Explicit one- or two-way trust between forests.
----------------------------------------------------
Delegation admin control
Create an OU, place objects into OU, create a group, place users in the group, run
the Delegation of Control Wizard on the OU and grant the group the control of the OU.
Or manually modify the DACLs of the OU to grant the group the control of the
OU.
---------------------------------------------------
FSMO, Operation master roles or server service, all FSMO are DCs
The first DC in the root domain carries all five FSMO.
The first DC in the child domain carries all three FSMO.
One per forest: Schema Master, Domain Naming Master
One per Domain: RID Master, PDC emulator, Infrastructure Master
One per site: Global Catalog server, DNS server is recommended
OR
Schema Master: one per forest
Domain Naming Master: one per forest
Schema Master and Domain Naming Master must be on the same DC that
must be a GC.
Domain Naming Master and Global Catalog Server must be on the same
DC.
RID Master: one per domain
PDC emulator: one per domain
Infrastructure Master: one per domain,
Should not on GC but in the same site. If Infrastructure Master and GC are
on same DC, references to objects in other domain will not be updated in the domain to
which the IM belongs.
Global Catalog server (GC): could be one or more per site, for logon within site in
native mode to reduce WAN traffic
DNS server: one or more per site, for logon within site in native mode
Avoid a single point of failure: at least two DC per domain (and per site if the
domain span multiple sites) , each one with a GC
------------------------------------------------------------
The factors on AD namespace
Internet registered name, identical to internal DNS or not
Operating dependency of entities,
---------------------------------------------------------
Biz Factors VS Forest, site, domain, OU design
Forest:
Acquisition/purchase
Secure internal network, separate it from external network
Using Exchange 2000 server or other AD integrated applications
Schema requirements
Site:
Existing and future WAN speed, >T1, logon
Steaming audio/video
Available bandwidth
WAN traffic
Bridgehead servers
DC placement: for best performance, at least one DC per site
Domain:
Geographic location, international
Security requirements (password policy, public key policy)
Delegation of control to ITs, decentralized administration
Need to control domain replication
The demands of corporate executives
Definition of AD namespace (this one could be a factor on forest in some
circumstances)
OU:
Granular delegation of admin
Grouping employees for administration, classification of employees
------------------------------------------------------------------
Structure of Management and Operation -- (de-) centralized
Make decision -- management
Implement decision -- operation
--------------------------------------------------------------------
Replication between sites
Site links:
RPC over IP:
Within or between sites, within or between domains
Can be scheduled
Can replicate domain directory partition
SMTP over IP:
Only between sites that belong to different domains
Is the best choice when WAN connection is unreliable
Must install SMTP on both domain controllers, and an enterprise
CA
Only replicate global catalog, schema and configuration partitions,
no domain directory partitions
Create twice as much traffic as RPC.
Link properties:
Cost: default is 100
Schedule: different site links should have a common time window, but off
peak-time is more important
Replication interval: not a big deal.
Change notification:
Enabled within site by default, can be manually enabled between sites.
Tool: ADSI Edit MMC
Increase WAN traffic
------------------------------------------------------------
Intra-site and inter-site Replication process:
Notice process (intra-site).
Pull process (intra-site).
Send process between bridgehead servers.
No pull process between bridgehead servers.
By default, no notice process between bridgehead servers.
-----------------------------------------------------------
Reduce impact of WAN replication:
Schedule replication between sites
Upgrade WAN link speed
------------------------------------------------------------
Reduce WAN traffic:
Configure each location as a site
Schedule replication between sites
Place a Global Catalog server at each location, only in native mode, to check
Universal group membership. Universal group membership is only replicated to GC.
Place a DC at each location in mixed mode
SMTP creates more traffic
--------------------------------------------------------------
On site upgrade sequence of necessary actions
Starting with the domain that will be the forest root, normally is the account
domain in head office.
Synchronize all DCs in the domain
Take one BDC offline
Install w2 server on PDC, it automatically run AD install wizard
Use AD install wizard to create a DC for new domain, choose “DC for a new
domain” (following Domain >> Tree >> Forest path)
Use AD install wizard to create a new domain tree on the “Create tree or child’
page
Use AD install wizard to create a new domain forest on the “Create or Join
Forest” page
Verify user access, replication with BDCs and trust relationship operation with
resource domains.
Install w2 server on BDCs
Use AD install wizard to create additional DCs for the domain on the “DC type”
To merge resource domain into root domain, first upgrade it as a child domain,
then move all objects to the root domain by MOVETREE (to preserve the SID, the root
domain must be converted to native mode before moving objects), demote child domain
controllers to member servers of the root domain, promote the root domain member
servers to peer domain controllers. DCPROMO is the tool.
To join additional NT domains to the tree, choose “DC for a new domain”,
“Create a new child domain in an existing domain tree”
-----------------------------------------------------------
GPO levels
Site
Must be a member of Enterprise admin to apply GPO on site
Object access audit at locations that have low speed WAN connections
Policies enforced per site (usually per location)
Domain
Domain wide software installation
Password policy
Accounts policy
Kerberos policy
OU
Group wide software install
Group wide computer configurations
Group wide logon/logoff script
Software available for installation by IT personnel.
OU GPO settings are ignored during domain logon.
Inherit
Child domains do not inherit Group policy settings from their parent
domains.
-----------------------------------------------------------
GPO orders
Local computer -- Site -- Domain -- OU -- OU…, if conflicts, OU wins
“Disable “disable XXX”” means you can use XXX.
But OU GPO settings are ignored when logon. So password policies only work on
Domain.
NO OVERRIDE wins BLOCK POLICY INHERITANCE
-------------------------------------------------------------------
Default policy for domains, as well as a default policy for domain controllers
There is a default policy for domains, as well as a default policy for domain
controllers. The domain controller policy has precedence over the domain policy. For
example, if you want to grant the Add Workstation to Domain privilege to a user, you
modify the default domain controller policy rather than the default domain policy.
-------------------------------------------------------------------
DNS
Configure forwarding
Enable forwarding on internal root DNS: point to external DNS server
Disable recursion on internal root DNS: don't want exchange internal and
external information.
Need of maintain existing UNIX DNS server
Upgrade it to support W2K
Configure it with proper zones. (I think this is the place I missed in test)
AD-integrated DNS server contains only the DNS information for the domain in
which the server resides. If unable to resolve, then start "walking in the tree " -- iterative
query.
UNIX
BIND 8.1.2 or later works with AD, supports both SRV resource records
and dynamic updates. But only 8.2 or later supports incremental zone transfers.
Doesn't support fault tolerance and secure dynamic updates
Fully integrated with AD means:
Support dynamic updates.
Support SRV resource records. The SRV record is used to map the name
of a service to the DNS computer name of a server that offers that service. For AD DC
and clients, SRV are used to determine IP address of DC.
Requirements for support AD
Supporting SRV resource records is required
Supporting dynamic updates is recommended but not required
DNS zone
AD-integrated zone:
Fault tolerant: every DC running DNS holds a read/write copy
Secure dynamic update with DACLs
Normally used for internal AD network
Only installed on DCs
Standard primary zone:
Dynamic update, but not secured by DACLs
No fault tolerant: only one DNS server holds the master copy
Normally used for external web server
Can be installed on any servers
Standard secondary zone:
Can be installed on any servers
Read only
If need of fault tolerance and secure updates, then AD-integrated zone is
only choice.
------------------------------------------------------------------
Using Groups
All kind of groups can be assigned with permissions
Best practice: UG>>DG>>DL<<Permissions
Universal group
Only in native mode
Can be used anywhere in the forest
Member can be users, global or universal groups from anywhere in the
forest
Can have access to anywhere in the forest
Normally use one universal group and add it into multiple domain local
groups.
Domain Global Group
Members can be only users and global groups from the same domain
Can be used in anywhere in the forest
Can have access to anywhere in the forest
Domain local groups
Can be used only in its own domain
Members can be users, global or universal from anywhere, but other
domain local groups from the same domain.
In native mode, can be used to grant access to resources on any computer
in local domain
In mixed mode, domain local groups must be on domain controllers only,
can be used to grant access to resources on any computer in local domain
Local group
Can be used only in that computer (or DCs).
-------------------------------------------------------------
Protocols and smart cards
Kerberos5 – supports username/password or local smart card logon.
EAP-xxx -- used for smart card remote authentication in both native and mixed
mode.
NTLM – used in a mixed mode.
ANI – used to remote authentication based on calling number. To enable it, must
enable un-authentication access on RAS.
-----------------------------------------------------------------
Top level OUs
Geographic locations, more stable than departments
Departments or divisions
Roles or tasks
------------------------------------------------------------------
Upgrade strategies
Upgrade the account domains in place first
Then upgrade the resource domains in place
Upgrade all clients to W2K professional
Optional: You may move all objects in the resource domains to OUs in the
account domains. Then eliminate the resource domain.
Upgrade the rest BDCs at the very last.
--------------------------------------------------------------------
Benefits from upgrading to AD
Increase security for client computers, such as NTFS, mandatory authentication,
file level encryption.
Increased flexibility in the control of network resources
Decreased total cost of ownership
Kerberos authentication
Ad-based password changes
Universal groups (only in native mode)
OUs
Netlogon synchronization
Ad-integrated DNS zones
Dynamic DNS updates
Secure dynamic updates
Domain local groups
Multimaster replication between win2K DCs
GPOs
NTLM authentication (only in mixed mode)
------------------------------------------------------------
Merge a new network into an existing AD
As a new forest
Need a new schema
As a new tree
Separated entities, deferent domain name, preserve existing name
As a new domain
Autonomy administration
Domain level policy
As a new OU
Merging two separated AD:
Removing and reinstalling AD on all domain controllers that will be
merged
Establishing these domain controllers as a new tree, a new domain or a
new OU.
------------------------------------------------------------
Moving objects between domains
Always use OU as container to move objects between trees or domains.
Create an OU, place objects into it, use MOVETREE to move it to new domain,
or move objects one by one.
Must use MOVETREE, cannot use AD Users and Computers
Move must be initiated from the source domain RID master first then move to the
new domain, otherwise “movetree failed”
Only Universal Group can be moved between domain. Global Group must be
converted to Universal before moving.
Move an account does not move the group memberships.
-------------------------------------------------------------------
Schema Administrators
A group that exists only in the root domain of an Active Directory forest of domains. It is
a universal group if the domain is in native-mode, a global group if the domain is in
mixed-mode. The group is authorized to make schema changes in Active Directory. By
default, the only member of the group is the Administrator account for the forest root
domain.
Enterprise Administrators
A group that exists only in the root domain of an Active Directory forest of domains. It is
a universal group if the domain is in native-mode, a global group if the domain is in
mixed-mode. The group is authorized to make forest-wide changes in Active Directory,
such as adding child domains. By default, the only member of the group is the
Administrator account for the forest root domain.
Domain Administrators
A global group whose members are authorized to administer the domain. By default, the
Domain Admins group is a member of the Administrators group on all computers that
have joined a domain, including the domain contollers.
Domain Admins is the default owner of any object that is created in the domain’s Active
Directory by any member of the group. If members of the group create other objects,
such as files, the default owner is the Administrators group.
Administrators
A built-in group. After the initial installation of the operating system, the only member of
the group is the Administrator account. When a computer joins a domain, the Domain
Admins group is added to the Administrators group. When a server becomes a domain
controller, the Enterprise Admins group also is added to the Administrators group.
The Administrators group has built-in capabilities that give its members full control over
the system. The group is the default owner of any object that is created by a member of
the group.
-----------------------------------------------------------------------
Default Permissions on FSMO:
Schema master: The Change Schema Master permission is granted by default to
the Schema Admins group.
Domain naming master: The Change Domain Master permission is granted by
default to the Enterprise Admins group.
RID master: The Change Rid Master permission is granted by default to the
Domain Admins group.
Primary domain controller emulator: The Change PDC permission is granted by
default to the Domain Admins group.
Infrastructure master: The Change Infrastructure Master permission is granted by
default to the Domain Admins group.
-------------------------------------------------------------------
DOMMAP, NETDOM, MOVETREE, COPY, MOVE, MOVETREE
DOMMAP: check replication topology, relationship between domains and sites.
NETDOM: join a computer to domain, establish and verify trust relationship
between computers.
NETDOM: manage computer accounts and domain trusts.
MOVETREE
COPY (AD Users and Computers): clone an object within the same domain.
MOVE (AD Users and Computers): move objects within the same domain.
MOVETREE: move objects between domains