Taking a look at Microsoft course 1561: Designing a Microsoft Windows 2000 Directory Services Infrastructure

Thinking of taking Microsoft course 1561? Troy Thompson has the scoop about what to expect in this Daily Feature.

In a previous article, I showed you what to prepare for when taking some of Microsoft’s certification tests. In this Daily Feature, I’ll discuss the Microsoft Official Curriculum (MOC) course 1561: Designing a Microsoft Windows 2000 Directory Services Infrastructure. It is a three-day course in which you will receive instruction on designing, creating, and implementing Active Directory in your Windows 2000 environment.

Microsoft recommends that before attending this course, you should complete course 1560: Updating Support Skills from Microsoft Windows NT 4.0 to Microsoft Windows 2000, or have the equivalent knowledge and skills.

Instead of course 1560, you could also have completed course 2154: Implementing and Administering Microsoft Windows 2000 Directory Services, or possess the equivalent knowledge and skills.
If you want to take a class in the Microsoft Official Curriculum, you must find a facility that is a Microsoft Partner. Also, when considering Windows 2000 training, you should find a facility that meets your needs. Many facilities offer free promotional classes that range from a couple of hours to an entire day. These free courses are a good way to evaluate the facility and training staff.
Contents of the course
The course is divided into nine modules. Each module examines a different aspect of Active Directory. There are plenty of labs and sample questions for each module. The course comes with the course CD, which contains answers to labs and sample questions as well as additional reading material. You also get a copy of Visio 2000, which is used extensively in the course. The labs in this course are not just task-oriented. They include scenarios, some of which are quite elaborate, and some group collaboration tasks that really help you think through the processes.

Module 1: Introduction to Designing a Directory
This module introduces you to designing a naming strategy, group policies, multiple domains, and site topology. It also stresses the importance of spending adequate time designing your Active Directory (AD) structure. In this module you’ll also learn some things to consider when designing your AD structure, such as identifying the needs of your organization and deciding what your risks and tradeoffs are. There is no lab in the first module.

Module 2: Designing an Active Directory Naming System
In module two, you’ll learn about how resolving unique names is the cornerstone of identifying objects in AD. You’ll study Domain Name System (DNS)—the basis for naming domains—and the importance of deciding on a root domain name that will give you flexibility on your intranet and a presence on the Internet.

Quite a bit of time is dedicated to choosing the proper root domain name. This is because once this name is implemented, you cannot change it without removing AD and creating a new forest. There is also a decision tree in this module that will help you decide the type of naming scheme that is best for your AD. The lab also has three exercises to help you decide the type of name you should use.

Module 3: Designing Active Directory to Delegate Administrative Authority
This module deals with delegating administrative authority under AD. Under Windows NT, the flexibility to delegate administrative control was very limited. AD, however, allows you to create Organization Units (OUs) within your domain and delegate control over specified objects to other individuals. Control can be delegated down to the property level so that a person may only have rights to change the password for a single individual. It is stressed that this type of microcontrol is not recommended, however, since the maintenance on such an arrangement can become overwhelming. You can set up your OUs to inherit access permissions of the parent container or you can override the inherited permissions. You should assign control at the OU level and then take advantage of inheritance.

There is a multimedia presentation on using Visio 2000 and a lab with four exercises. The labs are very good at helping you learn the concepts—they don’t just lead you through a series of tasks.

Module 4: Designing a Schema Policy
In module four, you’ll learn about the AD schema, which consists of different objects that control the classes and attributes maintained by AD. Since the schema contains hundreds of classes and attributes, the need to change the schema is rare. There may be something unique to your organization that you want AD to track. In that case, the schema would have to be modified. Any schema change affects the entire forest.

AD allows you to modify the schema using a snap-in for the Microsoft Management Console (MMC). You can also write a script with Active Directory Service Interfaces (ADSI). Some software applications that are installed will also modify the schema. Schema modifications are performed on one domain controller and then replicated across the forest to other domain controllers. This module also touches on integration with Microsoft Exchange 2000.

The lab for this module contains three exercises that are mostly task-oriented, such as running and modifying scripts that make changes to the schema.

Module 5: Designing Active Directory to Support Group Policy
This module addresses Group policy planning, designing, filtering, inheritance, and blocking and performance optimization. Group policies in Windows 2000 are used to administer many aspects of client computer configuration. You will extensively use Group policies if you want a high level of client management. You can apply a Group policy at the site, domain, or OU level. Applying them at the site or domain level affects more objects and offers less control over each individual object.

The lab contains four exercises that reinforce the concepts discussed in the module. You’ll use Visio 2000 to work with an OU.

Module 6: Designing an Active Directory Domain
This module stresses the importance of planning before you install Windows 2000 and AD. Depending on your organization’s needs, the planning phase can take weeks or even months. Also, OUs must be included in your planning. This new concept in Windows is very powerful and allows much greater flexibility. This module goes into further detail about security groups and how to choose the right model for your organization. Windows 2000 has added a Universal group that can contain members from any domain in the forest.

The lab has only two exercises, but they seem to be better designed than in any other lab in the course. In one lab, you’ll use Visio 2000 to document the domain structure.

Module 7: Designing a Multiple Domain Structure Topic
What you’ll learn about AD in this module may cause you to re-think the design of your existing domain structure. With the advent of OUs, it may be possible to go to a single domain model. Having a single domain has many advantages, such as:
  • Ease of management.
  • Easier delegation of administration.
  • Fewer members in the Domain Admins group.

Multiple domains have advantages as well, including:
  • Distinct domain-level policies.
  • Tighter administrative control.
  • Reduced replication traffic.

Windows 2000 still supports the trust relationships you had in Windows NT. There are three types of trust relationships now: transitive, shortcut, and explicit. Each type of trust follows a trust path between the domain controllers for the source and target domains. When accessing resources across a forest, the Kerberos V5 protocol trust path must be followed.

This module also discusses multiple-tree forests and characteristics of multiple forests. The lab contains two exercises that present a situation. You then have to use Visio 2000 to document and design a layout for the scenarios.

Module 8: Designing an Active Directory Site Topology
This module discusses the AD site topology, placement of global catalog servers, and operation masters. A site consists of domain controllers, global catalog servers, operations masters, and bridgehead servers. It can be used to optimize network bandwidth. Windows 2000 clients use site information to find domain controllers that are close. Creating unnecessary sites can cause inefficient use of network bandwidth.

In this module, there is also a demonstration of the Active Directory Sizer. This is a tool that can be used to estimate replication traffic and server requirements, based on the parameters you have entered. There are two exercises in this lab.

Module 9: Designing an Active Directory Infrastructure
In this module you’ll learn how to conduct an organizational analysis. You’ll learn the value of assembling a central planning team to identify the vision and scope of the project. Topics of discussion range from risk management and documenting the current physical network, to analyzing business practices and planning for growth and reorganization. The concepts that you should have a small number of domain administrators, and that you should assign control at the OU level whenever possible, are also reiterated in this module.

The lab features a scenario with three exercises. The lab works well for full classes because it requires the students to work within a group and not just with a partner. It was beneficial to me to have several people contributing to the process; it seemed more like a real-world situation.

AD is a complex topic. This course answers many questions and provides guidance on planning, designing, and implementing it. Before you move to Windows 2000 and AD, I highly recommend that you attend this course.

Troy Thompson, MCSE+I, has worked in the automation field for 15 years, and he has dealt with a variety of systems, including Wang OIS, Unisys BTOS, UNIX, Windows 3.11, Novell NetWare, Windows NT 3.51, and Windows NT 4.0. He’s worked as an administrator of a Novell and an NT network and as a systems analyst for an IBM mainframe. Currently, Troy is the Information System Security Officer at the Information Management shop at Fort Knox. If you’d like to contact Troy, send him an e-mail.

The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox