This chapter includes the following sections, which address various topics covered on Exam 70-219, Designing A Microsoft Windows 2000 Directory Services Infrastructure :
- Directory Services Overview
Discusses the functionality and role of the Active Directory in a business environment. Compares Active Directory to the Windows NT directory model. Describes the major components that make up an Active Directory.
- Balancing Technical and Business Requirements
Describes the major focus of this exam: applying your knowledge of Active Directory to design a solution that meets the business needs of any organization, large or small.
- Analyzing the Company
Describes how to map an organization using the physical layout, the departmental structure, and the functional structure. It also describes how to evaluate the Information Technology structure and how that will impact the management of your solution.
- Domain Structure
Describes Windows 2000 security groups, Organizational Units, and Active Directory objects. Discusses the use of multiple domains and multiple domain trees. Describes the empty root domain tree structure, multiple forests, and multiple tree forests. Describes where to place domain controllers, operations masters, and global catalog servers.
- Designing Trust Relationships
Describes the use of transitive trusts within a forest and external trusts between forests. Also discusses shortcut trusts and the authentication issues involved with trust relationships.
- Designing Group Policies
Describes the goals of an effective Group Policy architecture. Describes security group filtering and Group Policy blocking.
- Delegating Authority
Describes how to transfer object ownership and distribute responsibility throughout the Active Directory. Also describes permission inheritance issues.
- DNS Naming
Describes how to organize a Domain Name Service naming structure for Active Directory. Also describes child and parent domains and efficient naming practices.
- Schema Modification
Describes the relationship between attribute-schema objects and class-schema objects. Also describes how applications can modify the schema and how to manage and modify schema definitions through the Microsoft Management Console.
- Replication
Describes how data is replicated between domain controllers throughout the Active Directory. Describes how to optimize site topology to decrease network traffic. Describes site links, site link bridges, and bridgehead servers. In addition to the replication information available in this section, I’ve described the implications that certain design choices have on replication performance in their respective sections throughout the chapter.
Active Directory defines and arranges all of the elements of the network. It creates a single hierarchical database of the physical components, user accounts, programs, and data. It makes defining relationships and rules flexible through the use of organizational units, inherited permissions, and trusts. You’ll need to have a firm grasp on the organizational qualities of Active Directory before you can blend in the business requirements to design a complete directory solution. This chapter helps reinforce how Active Directory is modeled and concentrates on leveraging Active Directory in real-world business scenarios.
The Windows NT domain model included primary domain controllers (PDCs) and backup domain controllers (BDCs), which could only be linked by a series of one-way trusts. The PDC acted as a master server, while the BDCs acted in a subordinate way. Windows 2000 has a much more distributed, peer-to-peer relationship among its servers.
The wiring and physical layout of NT networks was often influenced and somewhat limited by the older, more strictly structured NT domain model. Windows 2000 allows for a lot more flexibility in the placement and functionality of servers. The processes that used to run mostly on the NT PDC can be reassigned to other servers in a much more flexible way. This also allows for a more robust replication environment, with servers disregarding traditional domain borders and replicating over the most efficient routes, based on how much bandwidth is currently available.
In an Active Directory network, all the Windows 2000 servers are essentially peers. Trusts are two-way, and the network is arranged in a tree structure with a true DNS naming scheme, just like on the Internet. This setup is much more flexible than the old NT domain model; and, as you’ll see later, it will give you more options for planning to meet the complex business requirements discussed later in this chapter.
Windows 2000 is moving toward embracing the open Internet networking standards, like DNS, Kerberos, and Telnet. Microsoft could have gone much further by providing for more interoperability with open standards, but these are big steps in the right direction for making the “CSE” portion of your title more important than the leading “M.”
You’ll need to be absolutely comfortable with the following terms throughout the rest of the chapter:
Domain
Forest
Tree
Organizational Unit
Object
If you have any questions about the definition and practical use of these components, you’ll find them covered in detail in the Active Directory chapter. This chapter and this test will concentrate heavily on the implementation of these basic building blocks of Active Directory as they apply to achieving specific business goals. The ability to translate business requirements into an Active Directory design is stressed in almost all of the questions. Some questions will go into great detail describing multiple business requirements, goals, and wishes. If you can quickly associate the AD component with a particular need, it will make designing the overall solution much easier.
If you’ve never actually worked in or managed an IT department, you’ll be at a bit of a disadvantage while taking this test. Many of the questions will involve giving you a series of requests and requirements, along with an overall goal. You’ll be asked to make judgement calls based on not only what is technically possible, but what makes the most sense given the structure and politics of the people side of the business.
Always keep it in the back of your mind that Microsoft is aiming this exam at the network architect, rather than the IT staff that will actually run the network on a day-to-day basis. You have to think like a consultant for this exam. Organization and judgment are top priorities.