Microsoft

Talking Shop: Brush up on Active Directory for the Win2K Server exam

Active Directory concepts for Microsoft Exam 70-215


Microsoft’s Windows 2000 Server exam is no pushover. Even if you’ve been administering the platform for 16 months or longer, be sure you’re familiar with everything you need to know. This second article in a four-part series lists those Active Directory and resource administration topics you must master for success with Microsoft Exam 70-215: Installing, Configuring, and Administering Microsoft Windows 2000 Server.

Did you miss it?
The first installment in the series, "The Win2K Server exam: Your first list to study," will help you review hardware requirements, installation, and hardware device and driver troubleshooting.

Active Directory Services
Microsoft’s Active Directory is so important, two exams are dedicated to the directory services component. Tests 70-217 (Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure) and 70-219 (Designing a Microsoft Windows 2000 Directory Services Infrastructure) both test candidates’ proficiency in designing and administering Active Directory.

While you needn’t possess the expertise to pass 70-217 and 70-219 when you sit for the Win2K server test, you should be familiar with Active Directory fundamentals.

Active Directory collects objects, from users to computers to printers and other resources, in a database for simplified administration. Another Active Directory benefit is improved scalability; it supports an exponentially larger number of users than the Windows NT 4.0 platform did.

Several protocols help Active Directory work with other directory services. In addition to TCP/IP, Active Directory uses X.500 and the Lightweight Directory Access Protocol (LDAP).

Three critical MMC snap-ins are used to administer Active Directory. They are:
  • Active Directory Domains and Trusts
  • Active Directory Sites and Services
  • Active Directory Users and Computers

Active Directory services are installed when a Windows 2000 member server (the default Win2K Server installation) is upgraded to a domain controller using the Dcpromo.exe utility.

Active Directory and network design
Windows 2000 uses domains, just as in Windows NT. Domains simplify administration by providing a common security configuration for users, computers, and other objects. Take TechRepublic, for example. It has office locations in Louisville and San Francisco. One domain, then, might be TechRepublic (for all users) and another might be named Louisville (for employees in the Bluegrass).

Trees are logical structures composed of more than one domain. The first domain that is created becomes the root domain. The second domain becomes a domain in the tree beneath the root domain. If the Louisville domain were formed after the TechRepublic domain, the tree name would be Louisville.TechRepublic.com. The San Francisco domain could be SanFran.TechRepublic.com. Together, the two domains form a tree.

Forests are logical structures composed of more than one tree, in which the trees don’t share the same domain namespace. In the TechRepublic example, TechRepublic.com is one tree; CNet.com (TechRepublic’s parent company) is another.

Sites, on the other hand, are used to segment networks. They are used to organize LANs and WANs and optimize network traffic patterns.

Every domain must have a domain controller. Every domain must also have a Global Catalog Server, which helps manage Active Directory communications and authenticate users logging on to a network.

Know the differences between Schema Masters and Domain Naming Masters. Also be sure that you understand the new trust relationships used by default in Windows 2000.

Active Directory organizes objects in Organizational Units (OUs). OUs are used to group and administer resources.

When studying up on Active Directory, learn the differences between Distinguished Names, Relative Distinguished Names, and User Principal Names.

My Distinguished Name falls out as follows: CN=ErikEckel; CN=Editors; DC=TechRepublic; DC=com. The CNs stand for common name, while the DCs stand for domain component. What’s that mean? It reveals that Erik Eckel is a member of the Editors container in the TechRepublic.com domain.

My Relative Distinguished Name is Erik Eckel, and my User Principal Name is ErikEckel@TechRepublic.com, which is also a valid Win2K logon name.

You should also know how Downlevel Login Names work. The purpose of a Downlevel Login Name is to provide backward compatibility with older Windows platforms. Using my name, my Downlevel Login Name is TechRepublic\ErikEckel.

Administering resource access
Be sure that you’re up on installing and configuring local and network printers. Know how Internet Printing works and how to configure separator pages and other print settings, such as print priorities (99 is the highest; 1 is the lowest). Know how to change the print spool location and familiarize yourself with the Fixprnsv.exe command.

Familiarize yourself, too, with Services for UNIX 2.0. Know UNIX LPR commands. Remember that TCP/IP is required for communicating with UNIX hosts.

As long as Apple’s still kicking, Microsoft could test you on Macintosh integration issues. Windows 2000 server platforms support Macintosh file and print sharing. Know how to install and configure File Services for Macintosh and Print Services for Macintosh from the Control Panel’s Add/Remove Programs applet.

Understand how to administer the Win2K Distributed File System (Dfs). Dfs is used to organize and manage multiple network shares in a hierarchical fashion. Use the Dfsgui.msc snap-in to configure Dfs in Windows 2000.

You can configure Dfs for standalone use or domain administration. You can create only a single-level hierarchy when configuring Standalone Dfs. Domain Dfs must be run on a member server or domain server. Create a Domain Dfs by selecting Create A Domain Dfs Root within the Dfs utility. Active Directory stores Domain Dfs information and replicates the Dfs data to other participating Dfs root servers.

Ensure that you master NTFS permissions. Remember that subfolder file permissions are inherited from parent folders by default.

Memorize the following:
  • If you copy a file within a partition, the file inherits the permissions from the destination folder.
  • If you move a file across partitions, the file inherits the permissions from the destination folder.
  • If you move a file within a partition, the file maintains its original permissions.

If encrypted files are moved to a compressed folder or FAT partition, the encryption is removed. An encrypted file moved to an unencrypted folder on an NTFS partition retains its encryption state. Don’t forget encrypted folders can’t be shared.

It seems elementary, but be sure that you know the differences between Read, Change, Full Control, and No Access permissions. Think you know them already? Does a user with Change permission have execute permission? It’s best to look them up and commit them to memory:
  • Full Control—Users can take ownership and edit file access permissions, in addition to receiving all Change and Read permissions.
  • Change—Users can edit and create new files, in addition to receiving all Read permissions.
  • Read—Users can list and read files and execute programs.
  • No Access—Users receive no permissions; they can’t list, view, read, or change files and programs.

Ultimately, the permission users receive to a file is a combination of their share and NTFS. Calculate a user's effective permission by taking the least restrictive share permission and least restrictive NTFS permission and using the most restrictive of the two sets.

However, should the No Access permission ever arise, regardless of the user's other permissions, the user will be denied access to the resource.

Study offline file use. Three types of caching can be configured:
  • Manual Caching For Documents—Users are permitted to specify particular files available for offline use.
  • Automatic Caching For Documents—All documents a user accesses are cached.
  • Automatic Caching For Programs—All executable programs a user accesses are cached.

Understand synchronization, too. Remember that you use the Synchronization Manager to specify which files, programs, and folders should be synchronized and when the synchronization should occur. If two users have edited the same file, you'll be presented with the following options:
  • Rename your copy of the file.
  • Overwrite your copy of the file with the network version.
  • Overwrite the network version (effectively deleting the changes made by the other user).

Also, you’ll want to master Virtual Server (multiple Web sites hosted on the same machine) and Virtual Directory (directories referenced by aliases) implementation and administration. Know how to use Web Services to secure file and folder access. Web Services, of course, requires Internet Information Services (IIS).

Several access methods come into play when working with Web Services. You need to know them. They are:
  • Allow Anonymous—Permits any user to access resources
  • Basic Authentication—A valid username and password must be provided; username and password are passed as clear text
  • Digest Authentication—Transmits password stored in Active Directory database as a hash value
  • Integrated Windows Authentication—Uses NTLM authentication to verify permissions
  • SSL Client Certificate—Uses a client certificate to verify identity

Eckel's take
So far, we’ve covered Windows 2000 server installation, hardware and resource administration, and Active Directory basics. Next week, I’ll examine disk administration and networking.

What's your Windows 2000 MCSE study plan?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

 

Editor's Picks