CRAMSHEET

Home Up APLUS WIN2K NT 4.0 CISCO NETPLUS FEED BACK BRAINDUMPS WEBRING SPONSORS

PAGE 1

Exam 70-217 - Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

Installing, Configuring, and Troubleshooting Active Directory:

Install, configure and troubleshoot the components of Active Directory: (KB# Q242955)

Active Directory Overview:

Active Directory (AD) services provide a single point of network management, allowing you to add, remove, and relocate resources easily. It offers significant enhancements over the limitations of the older Windows NT domain based security model. Its features are:

  • Simplified Administration - AD provides a single point of logon for *all* network resources - an administrator can logon to one computer and administer objects on any computer in the network.
  • Scalability - NT 4 domains had a practical limitation of about 40,000 objects. AD scales to millions of objects, if needed.
  • Open standards support - uses DNS as it's domain naming and location service so Windows 2000 domain names are also DNS domain names (RFCs 2052 & 2163). Support for LDAP v2 and v3 (RFCs 1823, 2247, 2251, 2252, & 2256) & LDIF (IETF draft)   makes AD interoperable with other directory services that support the same, such as Novell's NDS. DHCP (RFC 2131) supports the automatic configuration of both Windows and non-Windows clients with IP addresses. HTTP support means that AD can be searched using a Web browser. SNTP (RFC 1769) provides a distributed time service. Kerberos 5 (RFC 1510) support provides interoperability with other products that use the same authentication mechanism.

Active Directory Structure:


  • Object - distinct named set of attributes that represents a network resource such as a computer or a user account.
  • Classes - logical groupings of objects such as user accounts, computers, domains or organizational units.
  • Organizational Unit (OU) - container used to organize objects inside a domain into logical administrative groups such as computers, printers, user accounts, file shares, applications and even other OUs.
  • Domain - all network objects exist within a domain with each domain storing information only about the objects it contains. A domain is a security boundry - access to objects is controlled by Access Control Lists (ACLs). ACLs contain the permissions associated with objects that control which users or types of users can access them. In Windows 2000, all security policies and settings (like Administrative rights) do not cross from one domain to another. The domain admin only has rights to set policies within his/her domain.
  • Tree - a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous name space (e.g., cramsession.brainbuzz.com, sales.brainbuzz.com, and jobs.brainbuzz.com). All domains inside a single tree share a common schema (formal definition of all object types that can be stored in an AD deployment) and share a common Global Catalog.
  • Forest - a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace (e.g., cramsession.com and brainbuzz.com). All trees in the forest share a common schema and Global Catalog, but have different naming structures. Domains in a forest operate independently of each other, but the forest enables communication across the domains.
  • Sites - combination of one or more IP subnets connected by high-speed links. Not part of the AD namespace, and contain only computer objects and connection objects used to configure replication between sites.

Site Replication:

  • Active Directory information is replicated between Domain Controllers (DCs) and ensures that changes to a domain controller are reflected in all DCs within a domain. A DC is a computer running Windows 2000 server which contains a replica of the domain directory (member servers do not).
  • DCs store a copy of all AD information for their domain, manage changes to it and copy those changes to other DCs in the same domain. DCs in a domain automatically copy all objects in the domain to each other. When you change information in AD, you are making the change on one of the DCs.
  • Administrators can specify how often replication occurs, at what times, and how much data can be sent.
  • DCs immediately replicate important changes to AD like a user account being disabled. (KB# Q232690)
  • AD uses multimaster replication meaning that no one DC is the master domain controller - all DCs within a domain are peers.
  • Having more than one DC in a domain provides fault-tolerance. If a DC goes down, another is able to continue authenticating logins and providing required services using its copy of AD.
  • Active Directory automatically generates a ring topology for replication in the same domain and site. The ring ensures that if one DC goes down, it still has an available path to replicate its information to other DCs.