Active Directory Infrastructure

(1)

(2)

Syngress knows what passing the exam means to you and to your career. And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective.

Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives.

The Syngress Study Guide & DVD Training System includes:

■ Study Guide with 100% coverage of exam objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives.

■ Instructor-led DVD This DVD provides almost two hours of virtual classroom instruction.

■ Web-based practice exams Just visit us atwww.syngress.com/

certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/certification

(3)

(4)

Michael Cross Jeffery A. Martin Todd A. Walls

Martin Grasdal Technical Reviewer

Debra Littlejohn Shinder Technical Editor

Dr. Thomas W. Shinder Technical Editor

Exam 70-294: Planning, Implementing, and Maintaining a Windows Server 2003

Active Directory Infrastructure

(5)

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

KEY SERIAL NUMBER 001 TH33SLUGGY 002 Q2T4J9T7VA 003 82LPD8R7FF 004 Z6TDAA3HVY 005 P33JEET8MS 006 3SHX6SN$RK 007 CH3W7E42AK 008 9EU6V4DER7 009 SUPACM4NFH 010 5BVF3MEV2Z

PUBLISHED BY Syngress Publishing, Inc.

800 Hingham Street Rockland, MA 02370

Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study Guide & DVD Training System

Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

ISBN: 1-931836-94-9

Technical Editors: Debra Littlejohn Shinder Cover Designer: Michael Kavish Thomas W. Shinder Page Layout and Art by: Patricia Lupien Technical Reviewer: Martin Grasdal Copy Editor: Beth Roberts

Acquisitions Editor: Jonathan Babcock Indexer: Rich Carlson

DVD Production: Michael Donovan DVD Presenter: Laura E. Hunter

(6)

v v We would like to acknowledge the following people for their kindness and support in making this book possible.

Will Schmied, the President of Area 51 Partners, Inc. and moderator of www.mcseworld.com for sharing his considerable knowledge of Microsoft networking and certification.

Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise.

The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope.

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada.

David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.

A special thanks to Deb and Tom Shinder for going the extra mile on our core four MCSE 2003 guides.Thank you both for all your work.

Another special thanks to Daniel Bendell from Assurance Technology Management for his 24x7 care and feeding of the Syngress network. Dan manages our network in a highly professional manner and under severe time constraints, but still keeps a good sense of humor.

Acknowledgments

(7)

Michael Cross(MCSE, MCP+I, CNA, Network+) is an Internet Specialist / Computer Forensic Analyst with the Niagara Regional Police Service. He performs computer forensic examinations on computers involved in criminal investigations, and has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining their Web site at www.nrps.com and Intranet, he has also provided support in the areas of programming, hardware, network administration, and other services. As part of an information technology team that provides support to a user base of over 800 civilian and uniform users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems.

Michael also owns KnightWare (www.knightware.ca), which provides computer- related services like Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a free- lance writer for several years, and is published over three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario Canada with his lovely wife Jennifer and his darling daughter Sara.

Eriq Oliver Nealeis an Information Technology manager for a large manufacturing company headquartered in the southwest. His IT career spans 16 years and just about as many systems. He has contributed to a number of technical publications, including several MCSE exam preparation titles. His article on MIDI, still considered one of the seminal works on the topic, has been reprinted in hundreds of publications in multiple languages. Most recently, he has been focusing on electronic data privacy issues in mixed platform environments.When not working in and writing about information technology, Eriq spends time writing and recording music in his home studio for clients of his music publishing company. On clear nights, he can be found gazing at the moon or planets through his telescope, which he also uses for deep-space astrophotography.

Todd A. Walls(CISSP, MCSE) is a Senior Security Engineer for COACT, Inc., providing information security support to a government customer in Colorado Springs.

Todd has over 19 years of IT experience spanning the range of micro, mini, and mainframe systems, running variants of UNIX,Windows, and proprietary operating systems. His security systems experience includes intrusion detection and prevention,

Contributors

(8)

vii firewalls, biometrics, smart cards, password cracking, vulnerability testing, and secure-computing designs and evaluations. He is currently enrolled in graduate computer science studies at Colorado Technical University with a concentration in computer systems security.

Vinod Kumaris an author, developer and technical reviewer specializing in Web and mobile technologies using Microsoft aolutions. He has been awarded the Microsoft’s Most Valuable Professional (MVP) in .NET. He Currently works for Verizon.Vinod is a lead author for the forthcoming title Mobile Application Development with .NETand has co authored several other books. He had written many technical articles for sites like ASPToday, C# Today, and CSharp-Corner.

Vinod runs a community site named www.dotnetforce.com which provides content related to .NET. In his free time he likes to spend time with his family and friends.

Brian Frederickis a Lead Network Analyst for Aegon USA, one of the top 5 insurance companies in the United States. Brian started working with computers on the Apple II+. Brian attended the University of Northern Iowa and is married with two adorable children. He is also a technical instructor at a local community college teaching MCSE, MCSA, A+, and Network+ certification courses. Brian owes his success to his parents and brother for their support and backing during his Apple days and in college, and to his wife and children for their support and understanding when dad spends many hours in front of the computer.

M. Troy Hudson(MCSE NT/2000, MCP, MCP+I, Master CNE, CNE-IW, CNE-4, CNE-5, CNE-GW4, CNE-GW5, A+) is the computer services manager for Sodexho at Granite School District Food Services in Salt Lake City, UT. He currently manages around 90 sites using a lot of remote management tools, inter- networking Microsoft Windows desktops with Novell networks and ZENworks for Desktops.

Troy has been a consultant, trainer, and writer since 1997 and has published items both on the Internet and with this publisher. He has authored student cur- ricula and helped design training material and labs for students trying to pass the Microsoft MCSE exams. He holds a bachelor’s degree from the University of Phoenix in e-Business.Troy currently resides in Salt Lake City, UT with his wife Kim and eight children: “My family is the reason for taking on extra projects and

(9)

viii

I am grateful for their support! I love you Kim, Jett, Ryan, Rachael, James, McKay, Brayden, Becca and Hannah.”

Debra Littlejohn Shinder(MCSE) is a technology consultant, trainer, and writer who has authored a number of books on networking, including Scene of the

Cybercrime: Computer Forensics Handbook,published by Syngress Publishing (ISBN:

1-931836-65-5), and Computer Networking Essentials,published by Cisco Press. She is co-author, with her husband Dr.Thomas Shinder, of Troubleshooting Windows 2000 TCP/IP(ISBN: 1-928994-11-3), the best-selling Configuring ISA Server 2000 (ISBN: 1-928994-29-6),and ISA Server and Beyond (ISBN: 1-931836-66-3). Deb is also a technical editor and contributor to books on subjects such as the Windows 2000 MCSE exams, the CompTIA Security+ exam, and TruSecure’s ICSA certification. She edits the Brainbuzz A+ Hardware News and Sunbelt Software’s WinXP News and is regularly published in TechRepublic’s TechProGuild and

Windowsecurity.com. Deb specializes in security issues and Microsoft products. She lives and works in the Dallas-Fort Worth area and can be contacted at

deb@shinder.net or via the website at www.shinder.net.

Thomas W. Shinder M.D.(MVP, MCSE) is a computing industry veteran who has worked as a trainer, writer, and a consultant for Fortune 500 companies including FINA Oil, Lucent Technologies, and Sealand Container Corporation.

Tom was a Series Editor of the Syngress/Osborne Series of Windows 2000 Certification Study Guides and is author of the best selling books Configuring ISA Server 2000: Building Firewalls with Windows 2000 (Syngress Publishing, ISBN: 1- 928994-29-6) and Dr.Tom Shinder’s ISA Server and Beyond (ISBN: 1-931836-66-3).

Tom is the editor of the Brainbuzz.com Win2k Newsnewsletter and is a regular contributor to TechProGuild. He is also content editor, contributor and moderator for the World’s leading site on ISA Server 2000, www.isaserver.org. Microsoft recognized Tom’s leadership in the ISA Server community and awarded him their Most Valued Professional (MVP) award in December of 2001.

Technical Editors

(10)

ix Jeffery A. Martin (MCSE, MCDBA, MCT, MCP+I, MCNE, CNI, CCNP, CCI, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been working with computers and computer networks for over 15 years. Jeffery spends most of his time managing several companies that he owns and consulting for large multinational media companies. He also enjoys working as a technical instructor and training others in the use of technology.

Martin Grasdal(MCSE+I, MCSE/W2K MCT, CISSP, CTT+, A+) is an independent consultant with over 10 years experience in the computer industry.

Martin has a wide range of networking and IT managerial experience. He has been an MCT since 1995 and an MCSE since 1996. His training and networking experience covers a number of products, including NetWare, Lotus Notes,

Windows NT,Windows 2000,Windows 2003, Exchange Server, IIS, and ISA Server. As a manager, he served as Director of Web Sites and CTO for

BrainBuzz.com, where he was also responsible for all study guide and technical content on the CramSession.com Web site. Martin currently works actively as a consultant, author, and editor. His recent consulting experience includes contract work for Microsoft as a technical contributor to the MCP program on projects related to server technologies. Martin lives in Edmonton, Alberta, Canada with his wife Cathy and their two sons. Martin’s past authoring and editing work with Syngress has included the following titles:Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6),Configuring ISA Server 2000: Building Firewalls for Windows 2000 (ISBN: 1-928994-29-6), and Dr.Tom Shinder’s ISA Server

& Beyond: Real World Security Solutions for Microsoft Enterprise Networks (ISBN: 1- 931836-66-3).

Technical Editor and Contributor

Technical Reviewer

(11)

x

Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for various business units and schools within the University.

Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting and security topics. As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites.

Laura has previously contributed to the Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN: 1-931836-81-7). She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, con- tributing author, and technical reviewer.

Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S. Government and other participants dedicated to increasing the security of United States critical infrastructures.

DVD Presenter

(12)

Exam Objective Map

Objective Chapter

Number Objective Number

1 Planning and Implementing an Active 1 Directory Infrastructure

1.1 Plan a strategy for placing global catalog 8 servers.

1.1.1 Evaluate network traffic considerations when 8 placing global catalog servers.

1.1.2 Evaluate the need to enable universal group 8 caching.

1.2 Plan flexible operations master role placement. 7 1.2.1 Plan for business continuity of operations 7

master roles.

1.2.2 Identify operations master role dependencies. 7 1.3 Implement an Active Directory directory service 4

forest and domain structure. 4

1.3.1 Create the forest root domain. 4

1.3.2 Create a child domain. 4

xi

MCSE 70-294 Exam Objectives Map and Table of Contents

All of Microsoft’s published objectives for the MCSE 70- 294 Exam are covered in this book. To help you easily

find the sections that directly support particular objectives, we’ve listed all of the exam objectives

below, and mapped them to the Chapter number in which they are covered. We’ve also assigned num- bers to each objective, which we use in the subse- quent Table of Contents and again throughout the book to identify objective coverage. In some chapters, we’ve made the judgment that it is probably easier for the student to cover objectives in a slightly different sequence than the order of the published Microsoft objectives. By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100%

of Microsoft’s MCSE 70-294 Exam objectives.

(13)

1.3.3 Create and configure Application Data 4 Partitions.

1.3.4 Install and configure an Active Directory 7 domain controller.

1.3.5 Set an Active Directory forest and domain 4 functional level based on requirements.

1.3.6 Establish trust relationships. Types of trust 5 relationships might include external trusts,

shortcut trusts, and cross-forest trusts.

1.4 Implement an Active Directory site topology. 6

1.4.1 Configure site links. 6

1.4.2 Configure preferred bridgehead servers. 6 1.5 Plan an administrative delegation strategy. 5 1.5.1 Plan an organizational unit (OU) structure 5

based on delegation requirements.

1.5.2 Plan a security group hierarchy based on 5 delegation requirements.

2 Managing and Maintaining an Active All chapters Directory Infrastructure

2.1 Manage an Active Directory forest and domain 4 structure.

2.1.1 Manage trust relationships. 5

2.1.2 Manage schema modifications. 8

2.1.3 Add or remove a UPN suffix. 8

2.2 Manage an Active Directory site. 6

2.2.1 Configure replication schedules. 6

2.2.2 Configure site link costs. 6

2.2.3 Configure site boundaries. 6

2.3 Monitor Active Directory replication failures. 6 Tools might include Replication Monitor, Event Viewer, and support tools.

2.3.1 Monitor Active Directory replication. 6 2.3.2 Monitor File Replication service (FRS) 6

replication.

(14)

2.4 Restore Active Directory directory services. 11 2.4.1 Perform an authoritative restore operation. 11 2.4.2 Perform a nonauthoritative restore operation. 11

2.5 Troubleshoot Active Directory. All chapters

2.5.1 Diagnose and resolve issues related to Active 6 Directory replication.

2.5.2 Diagnose and resolve issues related to

operations master role failure. 7 2.5.3 Diagnose and resolve issues related to the 11

Active Directory database.

3 Planning and Implementing User,Computer, 2 and Group Strategies

3.1 Plan a security group strategy. 3

3.2 Plan a user authentication strategy. 3 3.2.1 Plan a smart card authentication strategy. 3 3.2.2 Create a password policy for domain users. 3

3.3 Plan an OU structure. 5

3.3.1 Analyze the administrative requirements for 5 an OU.

3.3.2 Analyze the Group Policy requirements for an 5 OU structure.

3.4 Implement an OU structure. 5

3.4.1 Create an OU. 5

3.4.2 Delegate permissions for an OU to a user or 5 to a security group.

3.4.3 Move objects within an OU hierarchy. 5 4 Planning and Implementing Group Policy 9

4.1 Plan Group Policy strategy. 9

4.1.1 Plan a Group Policy strategy by using Resultant 9 Set of Policy (RSoP) Planning mode.

4.1.2 Plan a strategy for configuring the user 9 environment by using Group Policy.

4.1.3 Plan a strategy for configuring the computer 9 environment by using Group Policy.

(15)

4.2 Configure the user environment by using 9 Group Policy.

4.2.1 Distribute software by using Group Policy. 10 4.2.2 Automatically enroll user certificates by using 9

Group Policy.

4.2.3 Redirect folders by using Group Policy. 9 4.2.4 Configure user security settings by using 9

Group Policy.

4.3 Deploy a computer environment by using Group Policy.

4.3.1 Distribute software by using Group Policy. 10 4.3.2 Automatically enroll computer certificates by 9

using Group Policy.

4.3.3 Configure computer security settings by using 9 Group Policy.

5 Managing and Maintaining Group Policy 9 5.1 Troubleshoot issues related to Group Policy 9

application. deployment. Tools might include RSoP and the gpresult command.

5.2 Maintain installed software by using 10 Group Policy.

5.2.1 Distribute updates to software distributed by 10 Group Policy.

5.2.2 Configure automatic updates for network 10 clients by using Group Policy.

5.3 Troubleshoot the application of Group Policy 9 security settings. Tools might include RSoP and the gpresult command.

(16)

1

Introducing Directory Services ………2

Terminology and Concepts ………5

Directory Data Store ………5

Policy-Based Administration ………9

Directory Access Protocol ………10

Naming Scheme ………11

Installing Active Directory to Create a Domain Controller …15

1

Understanding How Active Directory Works ………19

Directory Structure Overview ………19

Sites ………20

Domains ………21

Domain Trees ………22

Forests ………24

Organizational Units ………25

Active Directory Components ………26

Logical vs. Physical Components ………27

Domain Controllers ………28

Schema ………31

Global Catalog ………31

Replication Service ………32

1

Using Active Directory Administrative Tools ………34

Graphical Administrative Tools/MMCs ………35

Active Directory Users and Computers ………38

Active Directory Domains and Trusts ………40

Active Directory Sites and Services ………44

Command-Line Tools ………45

(17)

Cacls ………46

Cmdkey ………47

Csvde ………47

Dcgpofix ………49

Dsadd ………49

Dsget ………49

Dsmod ………50

Dsmove ………50

Ldifde ………51

Ntdsutil ………53

Whoami ………54

1

Implementing Active Directory Security and Access Control ………55

Access Control in Active Directory ………55

Role-Based Access Control ………60

Authorization Manager ………60

Active Directory Authentication ………61

Standards and Protocols ………62

Kerberos ………62

X.509 Certificates ………63

LDAP/SSL ………63

PKI ………64

1

What’s New in Windows Server 2003 Active Directory? ………65

New Features Available on All Windows Server 2003 Computers ………68

New Features Available Only with Windows Server 2003 Domain/Forest Functionality …………69

Domain Controller Renaming Tool ………70

Domain Rename Utility ………70

Forest Trusts ………70

Dynamically Links Auxiliary Classes ………70

Disabling Classes ………70

Replication ………70

Summary of Exam Objectives ………72

Exam Objectives Fast Track ………73

Exam Objectives Frequently Asked Questions ………75

Self Test ………76

Self Test Quick Answer Key ………81

(18)

Chapter 2 Working with User, Group,

and Computer Accounts 83

3

Understanding Active Directory Security Principal Accounts ………84

Security Principals and Security Identifiers ………85

Tools to View and Manage Security Identifiers ………90

Naming Conventions and Limitations ………92

3

Working with Active Directory User Accounts ………99

Built-In Domain User Accounts ………101

Administrator ………102

Guest ………103

HelpAssistant ………104

SUPPORT_388945a0 ………104

InterOrgPerson ………104

Creating User Accounts ………105

Creating Accounts Using Active Directory Users and Computers ………105

Creating Accounts Using the DSADD Command …………110

Managing User Accounts ………113

Personal Information Tabs ………115

Account Settings ………118

Terminal Services Tabs ………122

Security-Related Tabs ………126

3

Working with Active Directory Group Accounts ………131

Group Types ………131

Security Groups ………132

Distribution Groups ………132

Group Scopes in Active Directory ………133

Universal ………134

Global ………134

Domain Local ………135

Built-In Group Accounts ………135

Default Groups in Builtin Container ………136

Default Groups in Users Container ………138

Creating Group Accounts ………140

Creating Groups Using Active Directory Users and Computers ………141

Creating Groups Using the DSADD Command ………142

(19)

Managing Group Accounts ………143

3

Working with Active Directory Computer Accounts ………150

Creating Computer Accounts ………150

Creating Computer Accounts by Adding a Computer to a Domain ………151

Creating Computer Accounts Using Active Directory Users and Computers ………152

Creating Computer Accounts Using the DSADD Command 155 Managing Computer Accounts ………156

3

Managing Multiple Accounts ………162

Implementing User Principal Name Suffixes ………162

Moving Account Objects in Active Directory ………164

Moving Objects with Active Directory Users and Computers 164 Moving Objects with the DSMOVE Command …………165

Moving Objects with the MOVETREE Command ………166

Troubleshooting Problems with Accounts ………168

Summary of Exam Objectives ………170

Chapter 3 Creating User and Group Strategies 181 Introduction ………182

Creating a Password Policy for Domain Users ………182

Creating an Extensive Defense Model ………183

Strong Passwords ………184

System Key Utility ………185

Defining a Password Policy ………187

Applying a Password Policy ………187

Modifying a Password Policy ………190

Applying an Account Lockout Policy ………190

Creating User Authentication Strategies ………192

Need for Authentication ………193

Single Sign-On ………194

Interactive Logon ………194

Network Authentication ………195

Authentication Types ………195

Kerberos ………195

(20)

Understanding the Kerberos Authentication Process ………196

Secure Sockets Layer/Transport Layer Security ………197

NT LAN Manager ………198

Digest Authentication ………199

Passport Authentication ………200

Educating Users ………202

Planning a Smart Card Authentication Strategy ………203

When to Use Smart Cards ………205

Implementing Smart Cards ………206

PKI and Certificate Authorities ………206

Setting Security Permissions ………208

Enrollment Stations ………209

Enabling Certificate Templates ………209

Requesting an Enrollment Agent Certificate ………211

Enrolling Users ………211

Installing a Smart Card Reader ………212

Issuing Smart Card Certificates ………213

Assigning Smart Cards ………214

Logon Procedures ………215

Revoking Smart Cards ………215

Planning for Smart Card Support ………216

Planning a Security Group Strategy ………217

Understanding Group Types and Scopes ………218

Security and Distribution Groups ………218

Local, Domain Local, Global, and Universal Groups ………219

Security Group Best Practices ………224

Designing a Group Strategy for a Single Domain Forest …225 Designing a Group Strategy for a Multiple Domain Forest 226 Summary of Exam Objectives ………230

Chapter 4 Working with Forests and Domains 243 Introduction ………244

Understanding Forest and Domain Functionality ………244

(21)

The Role of the Forest ………246

New Forestwide Features ………247

The Role of the Domain ………254

New Domainwide Features ………256

Domain Trees ………259

Forest and Domain Functional Levels ………259

Domain Functionality ………260

Forest Functionality ………265

1.3.5

Raising the Functional Level of a Domain and Forest ………270

Domain Functional Level ………270

Forest Functional Level ………272

Optimizing Your Strategy for Raising Functional Levels …273

1.3/2.1

Creating the Forest and Domain Structure ………275

Deciding When to Create a New DC ………275

Installing Domain Controllers ………276

1.3.1

Creating a Forest Root Domain ………278

Creating a New Domain Tree in an Existing Forest ………285

1.3.2

Creating a New Child Domain in an Existing Domain ……288

Creating a New DC in an Existing Domain ………293

Assigning and Transferring Master Roles ………300

1.3.3

Using Application Directory Partitions ………313

Establishing Trust Relationships ………315

Direction and Transitivity ………315

Types of Trusts ………317

Restructuring the Forest and Renaming Domains ………318

Domain Rename Limitations ………318

Domain Rename Limitations in a Windows 2000 Forest …319 Domain Rename Limitations in a Windows Server 2003 Forest ………319

Domain Rename Dependencies ………320

Domain Rename Conditions and Effects ………322

Domain Rename Preliminary Steps ………323

Performing the Rename Procedure ………334

Steps to Take After the Domain Rename Procedure ………354

Implementing DNS in the Active Directory Network Environment 365 DNS and Active Directory Namespaces ………367

DNS Zones and Active Directory Integration ………367

Configuring DNS Servers for Use with Active Directory ……370

(22)

Integrating an Existing Primary

DNS Server with Active Directory ………370 Creating the Default DNSApplication Directory Partitions 371 Using dnscmd to Administer Application Directory Partitions 372 Securing Your DNS Deployment ………373 Summary of Exam Objectives ………374 Exam Objectives Frequently Asked Questions ………376 Exam Objectives Fast Track ………377 Self Test ………379 Self Test Quick Answer Key ………387 Chapter 5 Working with Trusts and Organizational Units 389 Introduction ………390

1.3.6/

Working with Active Directory Trusts ………390

2.1.1

Types of Trust Relationships ………394 Default Trusts ………395 Shortcut Trust ………395 Realm Trust ………396 External Trust ………396 Forest Trust ………397 Creating, Verifying, and Removing Trusts ………398 Securing Trusts Using SID Filtering ………400

3.3.1/

Working with Organizational Units ………401

3.4.3

Understanding the Role of Container Objects ………402

3.4/ 3.4.1

Creating and Managing Organizational Units ………402 Applying Group Policy to OUs ………406

3.4.2

Delegating Control of OUs ………407

1.5/1.5.1/

Planning an OU Structure and Strategy for Your Organization ……408

3.3/3.3.2

Delegation Requirements ………409 Security Group Hierarchy ………410 Summary of Exam Objectives ………412 Exam Objectives Fast Track ………413 Exam Objectives Frequently Asked Questions ………414

(23)

Self Test ………416 Self Test Quick Answer Key ………423 Chapter 6 Working with Active Directory Sites 425 Introduction ………426 Understanding the Role of Sites ………426 Replication ………427 Authentication ………427 Interactive Logon Authentication ………428 Network Authentication ………429 Distribution of Services Information ………429 Relationship of Sites to Other Active Directory Components ……431 Relationship of Sites and Domains ………431 Physical vs. Logical Structure of the Network ………433 The Relationship of Sites and Subnets ………433

1.4/2.2/

Creating Sites and Site Links ………434

2.2.3

Site Planning ………434 Criteria for Establishing Separate Sites ………435 Creating a Site ………436 Renaming a Site ………438 Creating Subnets ………441 Associating Subnets with Sites ………444

1.4.1/2.2.2

Creating Site Links ………446

1.4.1/2.2.2

Configuring Site Link Cost ………449

2.2/2.2.1/

Understanding Site Replication ………452

2.5.1

Purpose of Replication ………452 Types of Replication ………453 Intrasite Replication ………453 Intersite Replication ………454

1.4

Planning, Creating, and Managing the Replication Topology …455 Planning Replication Topology ………455 Creating a Replication Topology ………456 Managing Replication Topology ………456 Configuring Replication between Sites ………457 Configuring Replication Frequency ………457 Configuring Site Link Availability ………458

(24)

Configuring Site Link Bridges ………458

1.4.2

Configuring Bridgehead Servers ………459

2.3

Troubleshooting Replication Failure ………459 Troubleshooting Replication ………460

2.3.1

Using Replication Monitor ………461 Using Event Viewer ………461 Using Support Tools ………462

2.3.2

Monitoring File Replication Service Replication ………463 Summary of Exam Objectives ………465 Exam Objectives Fast Track ………465 Exam Objectives Frequently Asked Questions ………467 Self Test ………468 Self Test Quick Answer Key ………474 Chapter 7 Working with Domain Controllers 475 Introduction ………476

1.3.4

Planning and Deploying Domain Controllers ………476 Understanding Server Roles ………476 Function of Domain Controllers ………480 Determining the Number of Domain Controllers ………481 Using the Active Directory Installation Wizard ………484 Creating Additional Domain Controllers ………494 Upgrading Domain Controllers ………500 Placing Domain Controllers within Sites ………502 Backing Up Domain Controllers ………503 Restoring Domain Controllers ………504

1.2/2.5.2

Managing Operations Masters ………505 Understanding the Operation Masters Roles ………505 Forestwide Roles ………506 Domainwide Roles ………507

1.2.1

Transferring and Seizing Operations Master Roles ………509 Transferring FSMOs ………510 Transferring the Schema FSMO ………510 Transferring Domain Naming FSMO ………514 Transferring RID, PDC, or Infrastructure FSMOs …………516

1.2.1

Responding to OM Failures ………516 Seizing the PDC Emulator or Infrastructure FSMO ………516 Seizing the RID Master, Domain

(25)

Naming Master, and Schema Master FSMOs ………517 Summary of Exam Objectives ………523 Exam Objectives Fast Track ………524 Exam Objectives Frequently Asked Questions ………526 Self Test ………528 Self Test Quick Answer Key ………537 Chapter 8 Working with Global Catalog

Servers and Schema 539

Introduction ………540 Working with the Global Catalog and GC Servers ………540 Functions of the GC ………541

2.1.3

UPN Authentication ………541 Directory Information Search ………542 Universal Group Membership Information ………543 Customizing the GC Using the Schema MMC Snap-In ………543 Creating and Managing GC Servers ………545 Understanding GC Replication ………547 Universal Group Membership ………547 Attributes in GC ………547

1.1

Placing GC Servers within Sites ………548

1.1.1

Bandwidth and Network Traffic Considerations ………549

1.1.2

Universal Group Caching ………550 Troubleshooting GC Issues ………552

2.1.2

Working with the Active Directory Schema ………551 Understanding Schema Components ………553 Classes ………554 Attributes ………555 Naming of Schema Objects ………559 Working with the Schema MMC Snap-In ………560 Modifying and Extending the Schema ………561 Deactivating Schema Classes and Attributes ………562 Troubleshooting Schema Issues ………563 Summary of Exam Objectives ………564 Exam Objectives Fast Track ………565 Exam Objectives Frequently Asked Questions ………566 Self Test ………567 Self Test Quick Answer Key ………573

(26)

Chapter 9 Working with Group Policy in an Active

Directory Environment 575

4/4.2.1

Understanding Group Policy ………576

4.3.1

Terminology and Concepts ………577 Local and Non-Local Policies ………577 User and Computer Policies ………577 Group Policy Objects ………580 Scope and Application Order of Policies ………580 Group Policy Integration in Active Directory ………583 Group Policy Propagation and Replication ………583

4/4.1

Planning a Group Policy Strategy ………584

4.2.1/4.3.1

Using RSoP Planning Mode ………584 Opening RSoP in Planning Mode ………584 Reviewing RSoP Results ………587 Strategy for Configuring the User Environment ………588 Strategy for Configuring the Computer Environment …………590

4/4.2.1

Implementing Group Policy ………596

4.3.1

The Group Policy Object Editor MMC ………595 Creating, Configuring, and Managing GPOs ………595 Creating and Configuring GPOs ………596 Naming GPOs ………597 Managing GPOs ………598 Configuring Application of Group Policy ………600 General ………600 Links ………601 Security ………601 WMI Filter ………602 Delegating Administrative Control ………604 Verifying Group Policy ………604

4/4.2.1

Performing Group Policy Administrative Tasks ………608

4.2.2/4.2.3

4.3.1/4.3.2

Automatically Enrolling User and Computer Certificates ……608

(27)

Redirecting Folders ………609

4.1.2/4.1.3

Configuring User and Computer Security Settings ………612

4.2/4.2.4 4.3/4.3.3

Computer Configuration ………612 User Configuration ………613 Using Software Restriction Policies ………616 Setting Up Software Restriction Policies ………616 Software Policy Rules ………617 Precedence of Policies ………617 Best Practices ………618

4/4.2.1

Applying Group Policy Best Practices ………619

4.3.1/5

4/4.2.1

Troubleshooting Group Policy ………621

4.3.1/5.1/

5.3

4.1.1

Using RSoP ………622 Using gpresult.exe ………623 Summary of Exam Objectives ………628 Fast Track ………629 Exam Objectives Frequently Asked Questions ………631 Self Test ………633 Self Test Quick Answer Key ………639 4.2.1/4.3.1Chapter 10 Deploying Software via Group Policy 641 Introduction ………642 Understanding Group Policy Software Installation Terminology

and Concepts ………642 Group Policy Software Installation Concepts ………644 Assigning Applications ………644 Publishing Applications ………646 Document Invocation ………646 Application Categories ………647 Group Policy Software Deployment vs. SMS

Software Deployment ………648 Group Policy Software Installation Components ………648 Windows Installer Packages (.msi) ………649 Transforms (.mst) ………650

(28)

Patches and Updates (.msp) ………651 Application Assignment Scripts (.aas) ………652 Deploying Software to Users ………652 Deploying Software to Computers ………653

5.2

Using Group Policy Software Installation to Deploy Applications …654 Preparing for Group Policy Software Installation ………654 Creating Windows Installer Packages ………654 Using .zap Setup Files ………656 Creating Distribution Points ………659 Working with the GPO Editor ………660 Opening or Creating a GPO for Software Deployment ………659 Assigning and Publishing Applications ………662 Configuring Software Installation Properties ………664 The General Tab ………665 The Advanced Tab ………665 The File Extensions Tab ………666 The Categories Tab ………666

5.2.1

Upgrading Applications ………667

5.2.2

Automatically Configuring Required Updates ………668 Removing Managed Applications ………669 Managing Application Properties ………670 Categorizing Applications ………673 Adding and Removing Modifications for Application Packages 673 Troubleshooting Software Deployment ………675 Verbose Logging ………677 Software Installation Diagnostics Tool ………678 Summary of Exam Objectives ………679 Exam Objectives Fast Track ………679 Exam Objectives Frequently Asked Questions ………681 Self Test ………682 Self Test Quick Answer Key ………688 Chapter 11 Ensuring Active Directory Availability 689 Introduction ………690 Understanding Active Directory Availability Issues ………690 The Active Directory Database ………690 Data Modification to the Active Directory Database …………692 The Tombstone and Garbage Collection Processes ………694

(29)

System State Data ………698 Fault Tolerance and Performance ………699 RAID-1 ………700 RAID-5 ………701 Performing Active Directory Maintenance Tasks ………701 Defragmenting the Database ………702 Understanding Active Directory Database Fragmentation …702 The Offline Defragmentation Process ………703 Moving the Database or Log Files ………707

2.5.3

Monitoring the Database ………711 Using Event Viewer to Monitor Active Directory …………711 Using the Performance Console to Monitor Active Directory 713 Backing Up and Restoring Active Directory ………720 Backing Up Active Directory ………720 Using the Windows Server 2003 Backup Utility …………721 Backing Up at the Command Line ………733

2.4/2.4.1

Restoring Active Directory ………733

2.4.2

Directory Services Restore Mode ………733 Normal Restore ………734 Authoritative Restore ………741 Primary Restore ………743

2.5.3

Troubleshooting Active Directory Availability ………745 Setting Logging Levels for Additional Detail ………745 Using Ntdsutil Command Options ………747 Using the Integrity Command ………747 Using the recover Command ………750 Using the Semantic Database Analysis Command …………752 Using the esentutl Command ………756 Changing the Directory Services Restore Mode Password ……758 Summary of Exam Objectives ………759 Exam Objectives Fast Track ………760 Exam Objectives Frequently Asked Questions ………762 Self Test ………764 Self Test Quick Answer Key ………769

(30)

Appendix Self Test Questions, Answers,

and Explanations 771

Chapter 1: Active Directory Infrastructure Overview …………772 Chapter 2: Working with User, Group, and Computer Accounts 781 Chapter 3: Creating User and Group Strategies ………789 Chapter 4: Working with Forests and Domains ………797 Chapter 5: Working with Trusts and Organizational Units ……809 Chapter 6: Working with Active Directory Sites ………819 Chapter 7: Working with Domain Controllers ………826 Chapter 8: Working with Global Catalog Servers and Schema 840 Chapter 9: Working with Group Policy in an Active

Directory Environment ………847 Chapter 10: Deploying Software via Group Policy ………855 Chapter 11: Ensuring Active Directory Availability ………864

Index 873

(31)

(32)

This book’s primary goal is to help you prepare to take and pass Microsoft’s exam number 70-294,Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.At the time of this writing, the exam is expected to be released in its beta version in June 2003. Our secondary purpose in writing this book is to provide exam candidates with knowledge and skills that go beyond the minimum requirements for passing the exam, and help to prepare them to work in the real world of Microsoft computer networking in an Active Directory domain environment.

What is Exam 70-294?

Exam 70-294 is one of the four core requirements for the Microsoft Certified Systems Engineer (MCSE) certification. Microsoft’s stated target audience consists of IT professionals with at least one year of work experience on a medium or large company network.This means a multi-site network with at least three domain controllers, running typical network services such as file and print services, database, firewall services, proxy services, remote access services and Internet connectivity.

However, not everyone who takes Exam 70-294 will have this ideal background. Many people will take this exam after classroom instruction or self-study as an entry into the networking field. Many of those who do have job experience in IT will not have had the opportunity to work with all of the technologies covered by the exam. In this book, our goal is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus on the exam objectives.

Exam 70-294 covers the basics of managing and maintaining the Active Directory infrastructure in a network environment that is built around Microsoft’s Windows Server 2003.

Objectives are task-oriented, and include the following:

■ Planning a strategy for placing global catalog servers,including evaluating network traffic considerations and evaluating the need to enable universal group caching.

xxxi

Foreword

(33)

■ Planning the placement of flexible operations master roles,including how to plan for business continuity of operations master roles and identifying operations master role dependencies.

■ Implementing an Active Directory directory service forest and domain structure,including creating the forest root domain, creating a child domain, creating and configuring Application Data Partitions, and installing and configuring an Active Directory domain controller.This objective also includes setting an Active Directory forest and domain functional level based on requirements, and establishing trust relationships such as external trusts, shortcut trusts and cross-forest trusts.

■ Implementing an Active Directory site topology,including configuring site links and configuring preferred bridgehead servers.

■ Planning an administrative delegation strategy,including planning an organizational unit (OU) structure based on delegation requirements and planning a security group hierarchy based on delegation requirements.

■ Managing an Active Directory forest and domain structure,including managing trust relationships, managing schema modifications, and adding or removing UPN suffixes.

■ Managing an Active Directory site,including configuring replication schemes, configuring site link costs, and configuring site boundaries.

■ Monitoring Active Directory replication failures,using tools such as

Replication Monitor, Event Viewer and support tools to monitor Active Directory replication and File Replication Service (FRS) replication.

■ Restoring Active Directory directory services,including performing both authoritative restore and nonauthoritative restore operations.

■ Troubleshooting Active Directory,including diagnosing and resolving issues related to Active Directory replication, operations master role failure, and the Active Directory database.

■ Planning a security group strategy.

■ Planning a user authentication strategy,including planning a strategy for smart card authentication and creating a password policy for domain users.

■ Planning an OU structure,including analyzing the administrative requirements for an OU and analyzing the Group Policy requirements for an OU structure.

■ Implementing an OU structure,including creating an OU, delegating permissions for an OU to a user or a security group, and moving objects within the OU hierarchy.

(34)

■ Planning a Group Policy strategy,including using Resultant Set of Policy (RSoP) planning mode, and strategies for configuring the user environment and computer environments using Group Policy.

■ Configuring the user environment with Group Policy,including distributing software to users via Group Policy, automatically enrolling user certificates with Group Policy, redirecting folders via Group Policy and configuring user security settings using Group Policy.

■ Deploying a computer environment using Group Policy,including distributing software to computers via Group Policy, automatically enrolling computer certificates with Group Policy, and configuring computer security settings using Group Policy.

■ Troubleshooting issues related to Group Policy application and deploy- ment,using tools such as RSoP and the gpresult command.

■ Maintain installed software using Group Policy,including distributing updates to software distributed by Group Policy and configuring automatic updates for network clients using Group Policy.

■ Troubleshoot the application of Group Policy security settings, using tools such as RSoP and the gpresult command.

Microsoft reserves the right to change the objectives and/or the exam at any time, so you should check the web site at http://www.microsoft.com/traincert/exams/70-294.asp for the most up-to-date version of the objectives.

Path to MCP/MCSA/MCSE

Microsoft certification is recognized throughout the IT industry as a way to demonstrate mas- tery of basic concepts and skills required to perform the tasks involved in implementing and maintaining Windows-based networks.The certification program is constantly evaluated and improved; the nature of information technology is changing rapidly and this means requirements and specifications for certification can also change rapidly.This book is based on the exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the right to make changes to the objectives and to the exam itself at any time. Exam candidates should regularly visit the Certification and Training web site at http://www.microsoft.com/

traincert/ for the most updated information on each Microsoft exam.

Microsoft presently offers three basic levels of certification:

■ Microsoft Certified Professional (MCP): to obtain the MCP certification, you must pass one current Microsoft certification exam. For more information on exams that qualify, see http://www.microsoft.com/traincert/mcp/mcp/requirements.asp.

(35)

■ Microsoft Certified Systems Administrator (MCSA):to obtain the MCSA certification, you must pass three core exams and one elective exam, for a total of four exams. For more information, see

http://www.microsoft.com/TrainCert/mcp/mcsa/requirements.asp.

■ Microsoft Certified Systems Engineer (MCSE):to obtain the MCSE certification on Windows Server 2003, you must pass six core exams (including four network operating system exams, one client operating system exam and one design exam) and one elective. For more information, see

http://www.microsoft.com/traincert/mcp/mcse/windows2003/.

Passing Exam 70-294 will earn you the MCP certification (if it is the first Microsoft exam you’ve passed). Exam 70-294 also counts toward the MCSE. Exam 70-294 is not a requirement or elective for the MCSA.

N

OTE

Those who already hold the MCSA in Windows 2000 can upgrade their certifications to MCSA 2003 by passing one upgrade exam (70-292). Those who already hold the MCSE in Windows 2000 can upgrade their certifications to MCSE 2003 by passing two upgrade exams (70-292 and 70-296).

Microsoft also offers a number of specialty certifications for networking professionals and certifications for software developers, including the following:

■ Microsoft Certified Database Administrator (MCDBA)

■ Microsoft Certified Solution Developer (MCSD)

■ Microsoft Certified Application Developer (MCAD)

Exam 70-294 does not apply to any of these specialty and developer certifications.

Prerequisites and Preparation

There are no mandatory prerequisites for taking Exam 70-294, although Microsoft recom- mends that you meet the target audience profile described earlier, and many candidates will first take Exams 70-290, 70-291 and 70-293 in sequence before taking Exam 70-294 in their pursuit of the MCSE certification.

Preparation for this exam should include the following:

■ Visit the web site at http://www.microsoft.com/traincert/exams/70-294.asp to review the updated exam objectives. Remember that Microsoft reserves the right to change or add to the objectives at any time, so new objectives might have been added since the printing of this book.

(36)

■ Work your way through this book, studying the material thoroughly and marking any items you don’t understand.

■ Answer all practice exam questions at the end of each chapter.

■ Complete all hands-on exercises in each chapter.

■ Review any topics that you don’t thoroughly understand

■ Consult Microsoft online resources such as TechNet

(http://www.microsoft.com/technet/), white papers on the Microsoft web site, and so forth, for better understanding of difficult topics.

■ Participate in Microsoft’s product-specific and training and certification newsgroups if you have specific questions that you still need answered.

■ Take one or more practice exams, such as the one included on the CD with this book.

Exam Overview

In this book, we have tried to follow Microsoft’s exam objectives as closely as possible.

However, we have rearranged the order of some topics for a better flow, and included background material to help you understand the concepts and procedures that are included in the objectives. Following is a brief synopsis of the exam topics covered in each chapter:

■ Active Directory Infrastructure Overview:In this chapter, we will start with the basics: defining directory services and providing a brief background of the directory services standards and protocols.You’ll learn how the Active Directory works, and we will introduce you to the terminology and concepts required to understand the Active Directory infrastructure.We discuss the directory is structured into sites, forests, domains, domain trees, and organizational units, and you’ll learn about the components that make up the Active Directory, including both logical and physical components.These include the schema, the global catalog, domain controllers and the replication service.You’ll learn to use the Active Directory administrative tools, and we will discuss directory security and access control. Finally, we provide an overview of what’s new for Active Directory in Windows Server 2003.

■ Working with User, Group and Computer Accounts:This chapter introduces you to the concept of security principles – users, groups and computers – and the security identifiers that are used to represent them.You’ll learn about the conventions and limitations for naming these objects.We show you how to work with Active Directory user accounts, including the built in accounts and those you create yourself.You’ll also learn to work with group accounts, and you’ll learn about group types and scopes.You’ll learn to work with computer accounts, and

(37)

how to manage multiple accounts.We’ll show you how to implement User Principal Name suffixes, and we’ll discuss how to move objects within the Active Directory.

■ Creating User and Group Strategies:This chapter deals with planning effective strategies for managing users and groups in Active Directory.We will discuss the creation of user authentication strategies, and we provide an overview of authentication concepts.You will learn to plan a smart card authentication strategy and find out what’s new in smart card authentication for Windows Server 2003.We will also discuss how to create a password policy for domain users, and how to plan a security group strategy.

■ Working with Forests and Domains:In this chapter, you will learn all about the functions of forests and domains in the Active Directory infrastructure, and we will walk you through the steps of creating a forest and domain structure for a network.You’ll learn to install domain controllers, create the forest root domain and a child domain, and you’ll find out how to name and rename domains and how to set the functional level of a forest and domain.We will then discuss the role of DNS in the Active Directory environment, and you’ll learn about the relationship of the DNS and AD namespaces, how DNS zones are integrated into Active Directory, and how to configure DNS servers for use with Active Directory.

■ Working with Trusts and Organizational Units:This chapter addresses two important components of Active Directory: trust relationships and organizational units (OUs).You’ll learn about the different types of trusts that exist in the AD environment, both implicit and explicit, and you’ll learn to create shortcut, external, realm and cross-forest trusts.You’ll also learn to verify and remove trusts, and how to secure trusts using SID filtering.Then we discuss the creation and management of OUs and you learn to apply Group Policy to OUs and how to delegate control of an OU.We show you how to plan an OU structure and strategy for our organization, considering delegation requirements and the security group hierarchy.

■ Working with Active Directory Sites:In this chapter, you learn about the role of sites in the Active Directory infrastructure, and how replication, authentication and distribution of services information work within and across sites.We discuss the relationship of sites and domains, the relationship of sites and subnets, and how to create sites and site links.You’ll learn about site replication and how to plan, create and manage a replication topology.We walk you through the steps of configuring replication between sites, and discuss how to troubleshoot replication failures.We also address monitoring of the File Replication Service (FRS).

■ Working with Domain Controllers:The focus of this chapter is the Active Directory domain controller (DC), and how to plan and deploy DCs on your net-

(38)

work.You’ll learn about server roles, where domain controllers fit in, and how to create and upgrade DCs.We discuss placement of domain controllers within sites and how to back up your domain controllers.Then we get into the subject of operations master (OM) roles and you learn about the functions of all five OMs:

the schema master, domain naming master, RID master, PDC emulator and infrastructure master.We talk about transferring and seizing master roles and role dependencies, and you’ll learn to plan for the placement of OMs and how to respond to OM failures.

■ Working with Global Catalog Servers and the Schema:In this chapter, we take a look at a special type of domain controller: the Global Catalog server.You’ll learn about the role the Global Catalog (GC) plays in the network, and you’ll find out how to customize the GC using the Schema MMC snap-in.We show you how to create and manage GC servers, and explain how GC replication works.You’ll learn about the factors to consider when placing GC servers within sites. Next, we address the Active Directory schema itself.You’ll learn about schema components:

classes and attributes, and the naming of schema objects.We show you how to install and use the Schema management console, and you’ll learn how to extend the schema and how to deactivate schema objects.

■ Working with Group Policy in an Active Directory Network:This chapter starts with the basics of Group Policy terminology and concepts, introducing you to user and computer policies and Group Policy Objects (GPOs).We discuss the scope and application order of policies and you’ll learn about Group Policy integration in Active Directory.We show you how to plan a Group Policy strategy, and then walk you through the steps of implementing Group Policy.We show you how to perform common Group Policy tasks, and discuss Group Policy propagation and replication.You’ll also learn best practices for working with Group Policy, and we’ll show you how to troubleshoot problems with Group Policy.

■ Deploying Software via Group Policy:In this chapter, you will learn about Group Policy’s software installation feature.We’ll show you how to use the components of software installation:Windows installer packages, transforms, patches and application assignment scripts.You’ll find out how to deploy software to users and to computers, by assigning or publishing applications.We walk you through the steps of preparing for GP software installation, working with the Group Policy Object Editor and setting installation options.You’ll find out how to upgrade applications, configure automatic updates and remove managed applications.We’ll also cover how to troubleshoot problems that can occur with Group Policy software deployment.

■ Ensuring Active Directory Availability:The final chapter deals with how to maintain high availability of your Active Directory services.You’ll learn about the

(39)

Active Directory database, and the importance of system state data to AD availability.We’ll discuss fault tolerance plans as well as AD performance issues.You’ll find out how to perform necessary maintenance tasks, such as defragging the database, and you’ll learn how to monitor or move the database.We address backup and restoration of the Active Directory, and show you the different restoration methods that can be used and when each is appropriate. Finally, you’ll learn to troubleshoot Active Directory availability.

Exam Day Experience

Taking the exam is a relatively straightforward process. Both Vue and Prometric testing cen- ters administer the Microsoft 70-291 exam.You can register for, reschedule or cancel an exam through the Vue web site at http://www.vue.com/ or the Prometric web site at http://www.2test.com/index.jsp.You’ll find listings of testing center locations on these sites.

Accommodations are made for those with disabilities; contact the individual testing center for more information.

Exam price varies depending on the country in which you take the exam.

Exam Format

Exams are timed. At the end of the exam, you will find out your score and whether you passed or failed.You will not be allowed to take any notes or other written materials with you into the exam room.You will be provided with a pencil and paper, however, for making notes during the exam or doing calculations.

In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions introduced in the Windows 2000 exams, Microsoft has devel- oped a number of innovative question types for the Windows Server 2003 exams.You might see some or all of the following types of questions:

■ Hot area questions,in which you are asked to select an element or elements in a graphic to indicate the correct answer.You click an element to select or deselect it.

■ Active screen questions,in which you change elements in a dialog box (for example, by dragging the appropriate text element into a text box or selecting an option button or checkbox in a dialog box).

■ Drag and drop questions, in which you arrange various elements in a target area.

You can download a demo sampler of test question types from the Microsoft web site at http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp#H.

(40)

Test Taking Tips

Different people work best using different methods. However, there are some common methods of preparation and approach to the exam that are helpful to many test-takers. In this section, we provide some tips that other exam candidates have found useful in preparing for and actually taking the exam.

■ Exam preparation begins before exam day. Ensure that you know the concepts and terms well and feel confident about each of the exam objectives. Many test-takers find it helpful to make flash cards or review notes to study on the way to the testing center. A sheet listing acronyms and abbreviations can be helpful, as the number of acronyms (and the similarity of different acronyms) when studying IT topics can be overwhelming.The process of writing the material down, rather than just reading it, will help to reinforce your knowledge.

■ Many test-takers find it especially helpful to take practice exams that are available on the Internet and with books such as this one.Taking the practice exams not only gets you used to the computerized exam-taking experience, but also can be used as a learning tool.The best practice tests include detailed explanations of why the correct answer is correct and why the incorrect answers are wrong.

■ When preparing and studying, you should try to identify the main points of each objective section. Set aside enough time to focus on the material and lodge it into your memory. On the day of the exam, you be at the point where you don’t have to learn any new facts or concepts, but need simply to review the information already learned.

■ The value of hands-on experience cannot be stressed enough. Exam questions are based on test-writers’ experiences in the field. Working with the products on a regular basis, whether in your job environment or in a test network that you’ve set up at home, will make you much more comfortable with these questions.

■ Know your own learning style and use study methods that take advantage of it. If you’re primarily a visual learner, reading, making diagrams, watching video files on CD, etc. may be your best study methods. If you’re primarily auditory, classroom lectures, audiotapes you can play in the car as you drive, and repeating key concepts to yourself aloud may be more effective. If you’re a kinesthetic learner, you’ll need to actually do the exercises, implement the security measures on your own systems, and otherwise perform hands-on tasks to best absorb the information. Most of us can learn from all of these methods, but have a primary style that works best for us.

■ Although it might seem obvious, many exam-takers ignore the physical aspects of exam preparation.You are likely to score better if you’ve had sufficient sleep the night before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted