Windows 2000 Directory Services Design

You can install the Active Directory Connector (ADC) on a Windows 2000 server to map Exchange mailbox attributes to Active Directory attributes. The ADC is a directory-integrated application that extends the schema to include the attributes from Exchange that are not by default part of Active Directory. Configured connection agreements allow synchronization and sharing of directory information between the two directories. It would be incorrect to install the ADC on the Exchange 5.5 server. It should be installed on the Windows 2000 server. The Active Directory Migration Tool is useful for migrating users, groups, and computers. It will also facilitate migrating Exchange mailboxes. It is not a correct application for the task of populating Active Directory user accounts' attributes with Exchange 5.5 mailbox attributes. It would be incorrect to upgrade the Exchange 5.5 server to Windows 2000 to fulfill this scenario's requirements.

Upon installation, Microsoft Exchange 2000 modifies and extends the Active Directory schema.Windows 2000 Help, Search for the articles entitled: Active Directory schema overview; Issues in extending the schema; When to extend the schema; Schema changes; Using Active Directory with Exchange; and Extending the schema.

TheBestests, Inc. has mandated a fault tolerant environment for their network services including DNS. It has also stated that DNS implementations at the hotel resorts should be fault tolerant. Because of this, two servers for each should be installed so that if one becomes unavailable the second one can service client requests.The scenario clearly states that TheBestests, Inc. will only have one domain. Because of this, they require only one DNS domain. The member resorts, however, are more complicated because they have third party DNS hosting. They are also using their domain names for their public websites.Each Active Directory domain needs a corresponding DNS domain because Windows 2000 systems use DNS to locate Active Directory domain controllers. Thus, they are absolutely essential to any Windows 2000 network. There are a few different ways to configure a DNS environment in Windows 2000 when a company has publicly available resources (such as mail and web servers) that use the company's domain name.One way is to maintain two separate DNS infrastructures that use the company's domain name. Under this plan, the external DNS infrastructure would only contain records for publicly available servers. The internal DNS infrastructure would contain records for both publicly and private network resources. For obvious reasons, this type of dual infrastructure can be complex, difficult and confusing to maintain. The two infrastructures do not communicate with each other and often public server content must be replicated to private servers for internal users to access.
A second option is to use two different domain names such as thebestests.com and thebestests.net. The company's primary DNS domain name (such as thebestests.com) would be used for an external DNS infrastructure. The internal DNS infrastructure would use the secondary domain name (such as thebestests.net). This would also be the name of the forest root for Active Directory. Because the name spaces are different, communication can take place between the two DNS infrastructures. The down side of this system is that users can become confused about why they access some things using a .com extension and other servers using a .net extension.The best option is typically to use a delegated subdomain of the company's main DNS name. For instance, if the company's main DNS name is thebestests.com, a second domain would be created beneath it called corp. The full namespace of Active Directory would be corp.thebestests.com. All Active Directory records would be securely located on DNS servers for this delegated domain. There would still only be one DNS infrastructure and the delegated servers would be a part of it. The company's main DNS servers would still be able to host the public records with no problems. In this case, third party's hold the primary DNS servers for the hotel resorts. However, local DNS servers are needed to support the Active Directory implementation. In addition, we know that TheBestests, Inc. hopes to integrate those.

You should recommend that FI-Print use a delegated DNS subdomain for the Active Directory root domain and the internal resources defined as Active Directory objects. You should use a delegated DNS subdomain for Active Directory if the DNS servers hosting the resource records for the corporate DNS domain name cannot support service (SRV) records and dynamic DNS updates. A DNS server should be running at least version 8.2.1 of BIND to support SRV records, dynamic DNS updates, and incremental zone transfers (IXFR). Since management wants to continue using the existing DNS servers, you should recommend that computers running Windows 2000 Server and the DNS server service be used for the DNS domain used for Active Directory. You should not recommend that FI-Print use the same DNS domain name for internal and external resources and the Active Directory root domain since the existing DNS servers do not support dynamic DNS. You should not recommend that FI-Print use a new DNS domain name for the Active Directory root domain and for internal resources and the existing DNS domain name for external resources. There is no business reason given for using a separate DNS name for the Active Directory root domain and for internal resources. Instead, a subdomain of the existing DNS domain name should be used for the Active Directory root domain.
Business reasons to have separate DNS domain names for internal and external resources include the need to prevent access to internal resources from the Internet or the need to prevent the internal naming scheme from being available externally. There is no reason given for using the existing DNS domain name for the Active Directory root domain and for resources at the corporate office and a new DNS domain name for each division. Based on the IT support structure, a single Active Directory domain will help to reduce administrative complexity. Organizational Units (OUs) can be implemented to organize Active Directory objects by division. 3.2.1. Design an Active Directory naming strategy. Design the namespace. 4.4.2. Design the placement of DNS servers. Plan for interoperability with the existing DNS.

When there is a need for a strong security boundary, a separate forest is often the best way to go. However, communication still needs to take place between the companies. Therefore, a trust relationship is needed for communication between the two networks. Communication between different forests, an Active Directory domain and a Windows NT domain, or an Active Directory domain and a Kerberos realm can only take place over non-transitive trust relationships. In addition, non-transitive trusts are unidirectional. Two-way trusts can be created by implementing two trusts, one in each direction. However, if communication only needs to flow in one direction as it does here, it is best for security purposes to only implement a single directional trust. In this case, the TheBestests, Inc. needs to trust the individual hotel resorts because users at the hotel resorts will be allowed to create new member accounts on the TheBestests, Inc. network. When establishing non-transitive trusts, one domain is said to 'trust' another domain. When a domain is 'trusted' by another domain, user accounts from that domain can access resources on the 'trusting' network provided they have been granted the appropriate NTFS or share level permissions.Windows 2000 Help, Search for the articles entitled: Explicit domain trusts; and Understanding domain trusts.

You should make each forward lookup zone and each reverse lookup zone directory-integrated. If you configure the DDNS zones to be Active Directory-integrated, they will be stored on each domain controller because the directory partition is stored on every domain controller. DNS replication then becomes part of the Active Directory replication topology. As such, it is fault tolerant. Furthermore, it will be replicated at the property-level which is more efficient than the standard replication model provides. Making each domain controller a caching-only DDNS server if it is not the primary DDNS server is incorrect. Caching-only servers are used when a slow WAN link requires that DDNS data not cross the connection frequently. It is not a full zone copy; a caching only server stores only the information it previously found for clients. Making every domain controller a secondary DDNS server is bad form. The zone transfer traffic will not be improved; it will be increased. Therefore, this solution is wrong. Making one domain controller on each IP subnet a DDNS secondary server is acceptable practice when you are using Standard Zone Replication, but making all other domain controllers in the IP subnet caching-only DDNS servers is incorrect.

The Windows 2000 client authenticating to another domain in another domain tree in the forest will have to use the global catalog server and a domain controller in each domain involved. The global catalog maintains information about every object in the forest and works somewhat like an index. The domain controllers each hold an Active Directory partition for their domain. A Windows 2000 client uses the Kerberos V5 authentication protocol to travel on the trust path between the two domain trust relationships. In this scenario, the account authentication travels on the shortcut trust between the two domains in the same forest but different domain trees. Because there is a shortcut trust, the root domain, contoso.com, is not involved in this authentication trust path. The PDC emulator does not have a role in the authentication of this scenario unless a password change has not reached a domain controller for some reason. If that happens, the PDC emulator will have the information as a backup. The PDC emulator gets the information before it is replicated to the multi-master domain controllers. The primary domain controller (PDC) emulator is still in use even after an Active Directory is in native mode. Remember that the PDC emulator is on a domain controller. Cached credentials can be stored on a local computer and used when the domain controller cannot authenticate the domain account for some reason. Cached credentials can also be prevented by Group Policy as a security precaution.

The administrator of the west.contoso.com domain needs the administrator of east.nwtraders.com to set up the one-way trust that allows users authenticated in the west.contoso.com domain to access resources in the east.nwtraders.com domain. Explicit trusts are one way. In this scenario, one-way is sufficient to fulfill the requirement. The explicit trust is necessary because these domain trees are in separate forests; therefore, there is no transitive trust. Because the explicit trust is between two forests, it is called an external trust. Even when administrators from both forests cooperate, they cannot create the transitive trusts available to domains in a single forest. Each administrator can create a one-way explicit trust, resulting in a two-way explicit, external, trust between their two domains of the two forests. Creating an external trust between the root domains, nwtraders.com and contoso.com will not result in any sort of trust between the two child domains. Shortcut trusts are not possible between two domains of two forests. Shortcut trusts are built on two domains of one forest. In other words, a preexisting transitive trust is necessary before a shortcut trust can be defined.

You already have one of the three requirements for reduced network usage when users are going to log on across a WAN link: a domain controller (DC) from their own domain. Now you need to reduce replication traffic across the WAN link because the London domain DC located in Paris will replicate with its own DCs in London. And the reverse is true also. So, you will correctly create a site in London and one in Paris to manage replication traffic. Also you can reduce WAN traffic by placing a global catalog in both London and Paris. Users will require a global catalog to log on in a native mode Active Directory unless you have enabled cached credentials. You don't want every log on to seek a global catalog across the WAN link. The global catalog will also manage their queries locally. Global catalogs do create replication traffic themselves, so place them prudently. Adding additional domain controllers at each location will not solve any traffic issues. A site link bridge is not required between London and Paris. A site link bridge is used for example when you have three sites and two already have connections. If you want to include the third site with your two existing site links, you can create a site link bridge. SMTP is a solution when IP transport is not available for inter-site connections. It is not a solution to heavy network usage on a WAN link. SMTP cannot be used for replication of the domain partition between domain controllers in the same domain.

Top level organization units can be created to represent locations, departments, etc. What makes sense to use for one company may be totally inappropriate for another. In this case locations are not relevant because each location has their own site in Active Directory. Microsoft often favors the use of departments for top level OU's.Remember that OU's are used to group resources together for management purposes. There not seen by the users on the network. They exist to ease the administrative burden that is placed on administrators. In most cases, OU's should be created as a means for effectively deploying group policy. OU's are the most specific level that can be used to deploy group policy to a group of computers or users.Windows 2000 Help, Search for the articles entitled: Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

Each Active Directory domain needs a corresponding DNS domain or subdomain because Windows 2000 systems use DNS to locate Active Directory domain controllers. Thus, they are absolutely essential to any Windows 2000 network. There are a few different ways to configure a DNS environment in Windows 2000 when a company has publicly available resources (such as mail and web servers) that use the company's domain name.One way is to maintain two separate DNS infrastructures that use the company's domain name. Under this plan, the external DNS infrastructure would only contain records for publicly available servers. The internal DNS infrastructure would contain records for both public and private network resources. For obvious reasons, this type of dual infrastructure can be complex, difficult and confusing to maintain. The two infrastructures do not communicate with each other and often public server content must be replicated to private servers for internal users to access.A second option is to use two different domain names such as thebestests.com and thebestests.net. The company's primary DNS domain name (such as thebestests.com) would be used for an external DNS infrastructure. The internal DNS infrastructure would use the secondary domain name (such as thebestests.net). This would also be the name of the forest root for Active Directory. Because the name spaces are different, communication can take place between the two DNS infrastructures. The down side of this system is that users can become confused about why they access some things using a .com extension and other servers using a .net extension.
The best option is typically to use a delegated subdomain of the company's main DNS name. For instance, if the company's main DNS name is thebestests.com, a second domain would be created beneath it called corp. The full namespace of Active Directory would be corp.thebestests.com. All Active Directory records would be securely located on DNS servers for this delegated domain. There would still only be one DNS infrastructure and the delegated servers would be a part of it. The company's main DNS servers would still be able to host the public records with no problems.In this case, a third party holds the primary DNS servers for the root DNS domain. However, local DNS servers are needed to support the Active Directory implementation. The company does not currently have internal DNS servers. Because the company is in the process of migrating to Windows 2000 it makes sense to use Windows 2000 DNS services internally on the network. Because all Active Directory domains must have corresponding DNS domains, subdomains will need to be created in DNS beneath the ad.antiwageslaves.com namespace for any Active Directory child domains.Windows 2000 Help, Search for the articles entitled: Namespace planning for DNS; DNS domain names; and Checklist: Deploying DNS for Active Directory.

By default, Bridge all site links is enabled. All you are required to do is verify that it is enabled. Ignore schedules is a setting for SMTP inter-site transport. Nothing in the scenario leads toward an application of SMTP. Although you can create site links between Corp and Branch1 and between Corp and Branch2, it isn't necessary. They will be a part of the default site link which is adequate for this simple site structure. Setting a cost is important only when there is more than one way to route the replication traffic and you want to weigh the choices with an associated cost for each. Setting a cost for one of the links in this scenario buys no advantage.

These precautions will secure your schema from inadvertent or deliberate modification: Disable the modification ability on the schema operations master; Limit the members of the Schema Admins group; Limit the membership in the Enterprise Admins and the root Domain Admins groups because members of these groups can modify the membership of the Schema Admins group. A Group Policy object (GPO) for the Schema Admins will not secure the schema. Using the Active Directory schema snap-in for modifications is a risky procedure because it results in live changes to the production environment. Microsoft recommends either using a script to modify the schema in a test environment or removing the schema master from the network during the changes.

The correct installation procedure for this network begins with a clean install of Windows 2000 on a designated server. This server will then be made a domain controller by running the DCPROMO.EXE utility. During this procedure the first domain in the forest will be formed. This will create the forest and serve as the forest root domain. This domain will be an empty root with OS (overseas) and AMERICAS as child domains.Once the forest root has been established, the child domains can be installed. This will be the OS and AMERICAS domains. When a domain is being updated from Windows NT to Windows 2000, the PDC for the domain must be upgraded first. This will automatically migrate all of the Windows NT user and group accounts into Active Directory for this domain.Once these domains have been migrated, the next logical step is to migrate all other domains on the network. Again the PDC in each domain must be migrated first so that all accounts are transferred properly into Active Directory. In this case, these other domains are only being upgraded so that any users and groups they contain can be moved into either the OS or AMERICAS domain. Because they will be decommissioned after their resources have been relocated in Active Directory, it is not necessary to upgrade any of the BDC's for these domains.Once all domains have been migrated to Windows 2000 and Active Directory their user and group objects can be moved into the appropriate domain(s). OU's should be created in the OS and AMERICAS domains that allow the user and group accounts to be organized in the best administrative manner.
Once the OU's have been created, the accounts can be moved and the other domains can be decommissioned. Decommissioning is Microsoft's way of referring to a domain that will be removed from the network. Once the resources are moved out of a given resource domain, DCPROMO.EXE will be run again on that domain's Active Directory domain controller and Active Directory will be uninstalled from that server. Because each resource domain exists on only one server, when that server has Active Directory removed from it the domain no longer exists on the network. It is said to have been decommissioned.Windows 2000 Help, Search for the articles entitled: Upgrading a domain by upgrading domain controllers first; Planning the order of server upgrades; Merging resource domains into master domains; To demote a domain controller; Upgrading an existing Windows NT domain; and Upgrading to Active Directory.

Schema modifications involve the class and attribute components. A class is a type of object, such as a user. The attributes of the class specify what can said about the particular class, for example, a user's address. An application that can make modifications to the schema will change the classes and/or attributes. Objects refer to specific Active Directory entities. For example, John Smith's user account is an object. User Account is the class. An attribute of the class User Account would be a specific characteristic of user accounts, such as the logon name. Objects are not components of the Schema. Containers hold objects such as user accounts or computer accounts. Organizational units (OUs) are a type of container that can have Group Policy applied to it. Containers are not components of the Schema. Security principals are the individuals or groups that are given permissions to Active Directory objects. Security principals are not components of the Schema.

Active Directory replication is controlled by using sites and site links. Because of this, sites play a very important role in Windows 2000 networks. Sites are well connected networks. Locations that are connected by WAN links should generally have their own sites. This is so that replication can be scheduled for maximum bandwidth efficiency on the WAN links connecting the locations. In this case, the company has 11 physical locations and therefore would require 11 sites.Windows 2000 Help, Search for the articles entitled: Sites; Replication options; Replication goals and strategies; When to establish separate sites; and To create a site link.

Except in extreme circumstances, a company should only have one forest. The number of domains within a forest, however, is subjective. In this case, we know that each location except headquarters has a resource domain. So, after the initial conversion to Windows 2000 there will be ten resource and one master account domain for a total of eleven domains.Windows 2000 Help, Search for the articles entitled: Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

Remember that sites relate to physical locations and WAN links. Therefore all answers involving one of these two topics should be selected as an answer. Generally speaking, each location should have their own Site. Active Directory replication is controlled by using sites and site links. In addition, site and subnet objects are used to tell Active Directory where a user is logging in from and if there are any domain controllers' in his or her site. If a domain controller exists in the same site as the user, he or she will be directed to log in using that server. Thus, their logon traffic will not pass over WAN links. Sites are critical for controlling the amount and scheduling of Active Directory traffic on the WAN.Windows 2000 Help, Search for the articles entitled: Sites; Replication options; Replication goals and strategies; When to establish separate sites; and To create a site link.

The company has mandated that domains be consolidated where possible. North and South America have solid WAN links between them. They also have the same password and account lockout policies. Some group policy items can only be set once for each domain. Password and account lockout policies are examples of this. If different groups within the company require different password or account lockout policies, it will be necessary to give each group their own domain. This is one of the most critical things to check for when designing the company's Active Directory structure. Because communication is solid between North and South America and the two domains have matching password and security policies, they can be consolidated into a single domain.Windows 2000 Help, Search for the articles entitled: Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

Location-based Active Directory hierarchy design is the most stable of all. If your organization or corporation is undergoing restructure activity, then you should choose the location-based design. Organizational-based hierarchies are designed on the business model. The business organization can change. The Function-based hierarchy for Active Directory design is appropriate for smaller companies. Their structure means you will have to manage complexity in the inheritance of privileges because of multi-leveled organizational units. The extra layers are required for administration of accounts, resources and shares. Function as a division is usually left to the lower levels of a hierarchy. In this design choice, function is the first-level division. The hybrid designs, location-then-organization and organization-then-location, incorporate the organization as a criteria for the design and are thus vulnerable to the reorganizations your corporation is experiencing this year. Location alone is a solid choice for this design.

Upon installation, Microsoft Exchange 2000 modifies and extends the Active Directory schema.Windows 2000 Help, Search for the articles entitled: Active Directory schema overview; Issues in extending the schema; When to extend the schema; Schema changes; Using Active Directory with Exchange; and Extending the schema.

When upgrading the domain services of a network from Windows NT to Windows 2000 the first computer that must be upgraded is the Primary Domain Controller (PDC). As part of the upgrade process, all of the user and group accounts will be migrated from Windows NT directory services into Active Directory. Once the PDC has been migrated, the BDC's can be upgraded. To insure network functionality in the case of a failed upgrade attempt, one BDC should be synchronized and taken offline prior to the upgrade. In this way if the upgrade fails, it can be promoted to serve as the PDC and placed back online ensuring that users can log into the network.Windows 2000 Help, Search for the articles entitled: Upgrading a domain by upgrading domain controllers first; Planning the order of server upgrades; Upgrading an existing Windows NT domain; and Upgrading to Active Directory.

For testing purposes, you should generally consider the fact that Microsoft recommends one forest per company. They also tend to prefer single domain networks, unless the scenario specifically states that the company wants to keep it's existing domain structure or different groups of users require different password or account lockout settings. Some group policy items can only be set once for each domain. Password and account lockout policies are examples of this. If different groups within the company require different password or account lockout policies, it will be necessary to give each group their own domain.Many of the reasons for having resource domains have gone away with the advent of Active Directory. Microsoft recommends using a single domain model in conjunction sites to control replication and logon traffic over WAN links. They also recommend the use of delegation within Active Directory to allow specific users or administrators to perform routine administrative tasks in Active Directory without having full administrative permissions. There are no per domain size limits in Active Directory. The number of objects that Active Directory can support relates to the forest, not individual domains.Windows 2000 Help, Search for the articles entitled: Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

Microsoft recommends upgrading the account domains first during a migration from Windows NT to Windows 2000. Once the account domains have been migrated, resource domains can be migrated. The capacity of a domain in Windows 2000 is not limited like it was in Windows NT. In addition, there is a strong ability to delegate authority when using Active Directory. Because of this it is often not necessary for a company to continue using resource domains. Such domains can often be consolidated into the company's account domains. This is accomplished by upgrading the resource domains to Windows 2000 and moving the objects (such as users, computers, and groups) from the resource domain to the account domain. Once this transfer is complete, directory services can be uninstalled from all domain controllers for the resource domain. Microsoft often refers to this process as decommissioning a domain.Windows 2000 Help, Search for the articles entitled: Upgrading a domain by upgrading domain controllers first; Planning the order of server upgrades; Merging resource domains into master domains; To demote a domain controller; Upgrading an existing Windows NT domain; and Upgrading to Active Directory.

The domain division by organization means your design may not fall along the existing physical network divisions. Creating domains that allow for different security policies may have a higher priority than creating structure along the physical network. The hierarchy described in the scenario will not be functionally restrictive, which is to say it supports the business requirements at the higher level. And, it doesn't interfere with the information technology (IT) functions which are distributed by location. The organization and location hierarchy is not a flexible design and if the company undergoes a reorganization, the Active Directory may require critical modification. Since each division in the company has a separate domain and since domains are security boundaries, there will be no administrators from other divisions taking ownership of objects in another division.

You are only required to have one Active Directory domain within the scope of the corporate or enterprise DNS domain namespace. Namespace refers to the named objects within a defined scope such as a corporate environment. All entities are arranged in a hierarchical format that allows each object to be located. Active Directory uses DNS as its locator service. Therefore, both Active Directory and DNS are using the same logical organization and naming of objects. A corporate namespace begins at the second level of the DNS namespace. In other words, it must have a suffix such as .com, .net, or .gov for example.

To determine the number of domain controllers, simply add up the facts listed in the background information provided by the company. The company stated that redundancy is required at the hotel resorts. Because of this you should assume that each one will get at least two domain controllers for the member network, and two domain controllers for the resort hotel network. Because 25 locations will be online at the end of that time, the total would be 100 domain controllers for the member resorts. The company background information states that the IT datacenter will get two domain controllers. The scenario does not state that redundancy is required at headquarters so you should assume that only one domain controller will be required there.

There are five operations master roles that exist on an Active Directory network. Two exit only in the forest root domain and govern forest wide operations. These are the Schema and Domain Naming Masters. The Schema Master governs changes to the Active Directory schema. Only one computer houses this role in an Active Directory forest. The Domain Naming Master is needed to add new domains to, and remove domains from the forest. Microsoft generally recommends that these two roles be located on the same domain controller. Only one computer houses this role in an Active Directory forest.The additional three operation masters exist in every domain in the forest. There is one of each in every domain. The PDC Emulator provides many different things. In a mixed domain with Windows NT BDC's, it serves the role of the PDC for those machines.
In a pure Windows 2000 domain (Native mode domain) it continues to perform important roles including receiving preferential password updates from the other domain controllers. The Infrastructure Master is responsible for maintaining group to user mappings. If the Infrastructure Master is located on a Domain Controller which is also serving as a global catalog server it will not function properly. Because of this, Microsoft recommends that the computer holding the Infrastructure Master role not be a global catalog server. The Relative ID (RID) Master allocates relative ID's to the domain controllers in the domain. When a user, computer, group or other security principle is created a unique RID is appended to the domain security ID (SID) to create a new SID for the object. SID's are often used by Windows 2000 as identifiers for security purposes. Windows 2000 Help, Search for the articles entitled: Operations masters; Single master operations; and Global catalog and infrastructure master.

Group policy objects can be applied at the site, domain, OU level. Policies placed at the domain level override policies at the site level. Policies placed at the OU level override policies placed at the domain and site levels. Therefore, the correct way to apply group policy is to go from least specific (things that have a broad effect) to most specific (things that effect just one OU).Windows 2000 Help, Search for the articles entitled: Group Policy overview; Using Group Policy; Order of processing settings; Delegating control of Group Policy; Default permissions; and To filter the scope of Group Policy according to security group membership.

To apply the GPO created for each job category, you will need to create an OU for each job category in both divisions. This is the correct way to solve the scenario's task. If you create an OU for each job category, it would be incorrect to then apply a GPO for each job category at the division level. Each job category OU in the division would inherit all the GPOs and then you would be required to use filters. Department OUs are inappropriate since you are applying policy by job category for each division, not by department. The scenario already has two OUs for the Research and Business divisions. It would be incorrect to put job-category OUs above the division OUs. The reason is that the job-category OUs will be very different in the Research division and the Business division. If you place the job category OUs above the division OUs, and then apply GPOs, you will require all the GPOs to be read by a user of the domain at log on. You will then be tasked with filtering.

By creating a shortcut trust between the two domains, you can expedite the database lookups from one tree to the other tree in the forest. A shortcut is a two-way transitive trust that creates a shorter trust path. You can only create these when the two-way transitive trusts between trees in a forest already exist. Issuing session tickets is a task managed by the Key Distribution Center (KDC). When services are requested on another resource computer, service tickets are issued to the requesting authenticated user. The session that results is implemented with the service tickets held by the user. Adding an additional domain controller where the database is located won't resolve any delays in getting resources that are caused by the length of the trust path. Transitive trusts must pass through the domain hierarchy of the domain tree if there is no shortcut trust. If there is a second domain tree in the forest, then the trust path is even longer. In this scenario, the trust path includes both domain trees. External trusts are created for separate forests that need some level of trust (one or two-way) for the domains of the forests. External trusts are created where no transitive trusts exist.

Of the available answers, the maintenance of accounts is the most critical design element. This is because accounts for the TG's are currently stored on a UNIX system but will be migrated into Active Directory over time. The size and complexity of this operation, make it a critical design decision. In addition, the TG accounts have different security requirements than the company's administrative and managerial accounts, which is another important consideration in domain design.Windows 2000 Help, Search for the articles entitled: Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

The Determining Goals and Objectives phase is the initial phase of the project where the features of Windows 2000 are compared to the business requirements, costs, and benefits. Documentation at this phase would reflect the corporate regulation requiring multiprocessors for the accounting department. The Feature Design and Development phase is correctly where the corporate regulation for multiprocessors will be included in the functional specification that calls for design and testing of specific corporate requirements. It's part of the plan at this phase. The Windows 2000 Pilot phase is well beyond the incorporation of corporate regulations into the design. The pilot phase can become the actual deployment for some companies. The Production Rollout phase is when the pilot is phased out or further developed into the actual production environment.

Except in very rare cases, a company should only have one forest. The company has mandated that the IT domain be decommissioned. For this reason, there will not be an it.lichangli.com domain on the network. The company has also mandated that domains be consolidated wherever possible. North and South America have solid WAN links between them. They also have the same password and account lockout policies. Some group policy items can only be set once for each domain. Password and account lockout policies are examples of this. If different groups within the company require different password or account lockout policies, it will be necessary to give each group their own domain. This is one of the most critical things to check for when designing a company's Active Directory structure. Because communication is solid between North and South America and the two domains have matching password and security policies, they can be consolidated into a single domain.
Overseas offices do not use the same password policy as the Americas. The company has mandated that this remain the same after the implementation. Because of this fact, separate domains are needed for these two groups of users and a second domain is needed.Windows 2000 Help, Search for the articles entitled: Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

In order to modify the Active Directory schema, a user must be a member of the Schema Admins group. This group is located in the forest root domain and has no members by default.Windows 2000 Help, Search for the articles entitled: Active Directory schema overview; Issues in extending the schema; When to extend the schema; Schema changes; Using Active Directory with Exchange; and Extending the schema.

In general, you should recommend that a domain controller be installed at each business office and at the headquarters office. The IT staff members in each city should have access to a domain controller to manage the objects in their OU. The IT staff members at the headquarters office should have access to a domain controller to manage the domain and related domain-level policies. You do not need a domain controller at every training center location, since only a few employees access the corporate network from each of the training centers that do not house office employees. These employees can readily access the domain controller at the office location in their city. You should not install domain controllers only at the headquarters office. If you do this, all logon traffic and system administration traffic must travel across the wide-area network connection to the headquarters office. You should not install domain controllers only at each training center location.
As noted earlier, you do not need a domain controller at the centers that do not also house a business office. You do need domain controllers at the headquarters office, since the IT staff members there are responsible for managing the domain and related domain-level policies. The decisions you make regarding the placement of domain controllers are tied to your decisions about the site topology. Replication between domain controllers in a site occurs more frequently than replication between domain controllers in separate sites. You must assess the impact of this replication traffic on your network. 4.3.1. Design the placement of domain controllers. Considerations include performance, fault tolerance, functionality, and manageability.

Remember that this company has called for strong fault tolerance. Because of this, you should implement redundant domain controller and global catalog servers. In this case, even though there are only three domains at the site, there would be six servers and two global catalog servers for fault tolerance.There are five operations master roles that exist on an Active Directory network. Two exit only in the forest root domain and govern forest wide operations. These are the Schema and Domain Naming Masters. The Schema Master governs changes to the Active Directory schema. Only one computer houses this role in an Active Directory forest. The Domain Naming Master is needed to add new domains to, and remove domains from the forest. Microsoft generally recommends that these two roles be located on the same domain controller. Only one computer houses this role in an Active Directory forest.
The additional three operation masters exist in every domain in the forest. There is one of each in every domain. The PDC Emulator provides many different things. In a mixed domain with Windows NT BDC's, it serves the role of the PDC for those machines. In a pure Windows 2000 domain (Native mode domain) it continues to perform important roles including receiving preferential password updates from the other domain controllers. The Infrastructure Master is responsible for maintaining group to user mappings. If the Infrastructure Master is located on a Domain Controller which is also serving as a global catalog server it will not function properly. Because of this, Microsoft recommends that the computer holding the Infrastructure Master role not be a global catalog server.
The Relative ID (RID) Master allocates relative ID's to the domain controllers in the domain. When a user, computer, group or other security principle is created a unique RID is appended to the domain security ID (SID) to create a new SID for the object. SID's are often used by Windows 2000 as identifiers for security purposes. When a user searches Active Directory, they are searching the Global Catalog. If a Global Catalog server is not located in their site, it will query one in another site. Global Catalog servers are also used during the logon process. As part of the logon process, a list of the groups a user belongs to is enumerated. Universal groups are stored in the Global Catalog. If a user from a native mode domain is logging in from a site that does not have a Global Catalog server, the logon process will access a Global Catalog server in another site. Placing a Global Catalog server in the same site that a user is logging in or querying Active Directory from can optimize performance.Windows 2000 Help, Search for the articles entitled: Operations masters; Single master operations; Global Catalog; and Global catalog and infrastructure master.

In Active Directory, site links are used by administrators to influence the Active Directory replication topology. When you configure a site link, you are supplying information to Active Directory concerning what connections are available and which ones you would prefer for it to use. This information is used by Windows 2000 to determine the connections and connection times for Active Directory replication.SMTP replication should be used when links are unreliable. It can only be used for links between sites and ignores all replication schedules that are configured for it. The domain partition cannot be replicated using a SMTP replication link. Therefore, in order for SMTP links to be used to connect sites, domains cannot span the sites that are connected by these kinds of links.IP site links use RPC's and should be used only for reliable links between sites. They support transfer of the domain partition in Active Directory. A domain can span two sites that are connected with an RPC (IP) site link. In addition, schedules that are configured using IP site links will be applied by default.Windows 2000 Help, Search for the articles entitled: Sites; Replication options; Replication goals and strategies; When to establish separate sites; and To create a site link.

The Math department OU is a peer of the Physics department OU. Since the administrator would be given change permissions at the domain level, she will have delegated authority over objects in both Math and Physics OUs though inheritance. The Math department is where her scope of authority has been exceeded. The nested OUs within the Physics OU and the objects in the Physics OU should be properly within her scope as administrator of the Physics OU. If she is delegated authority at the Physics OU level, then her scope of authority will be correct. If she is delegated authority at the domain level, her scope has not been exceeded in the nested OUs of the Physics OU and the objects in the Physics OU. The objects within the site are not within her scope if her authority is delegated at the domain level. So, her proposed delegation authority has not been exceeded.

By defining the branch office as a site you can control authentication traffic because Windows 2000 will search for a domain controller in the site where the client is logging on. By adding a domain controller (DC) from the Sales domain to the branch office and configuring it as a global catalog, you can minimize authentication traffic in two ways. By having a global catalog at the branch site, no traffic will cross the WAN link to query a global catalog at the other end. The Sales domain's DC will authenticate the client, preventing the authentication traffic from crossing the WAN link. You can create a site at the branch office, but you should not add a subnet of the branch office's site to the corporate site because subnets are defined at the site to which they are associated. It is incorrect to put a DC from each domain at the branch site. Since all the 100 users are part of the Sales domain, it is only required to put a Sales DC at the branch location. While it is correct to add a Sales domain's DC to the site, this answer alone does not combine with any other answer to give a complete solution to the problem. Therefore, it is a wrong choice.

The correct answer is to put all managers of a domain into a global group called managers. Also put all executives of a domain into a global group called executives. Nest the manager global groups from all three domains into a universal group named enterprise managers. Also nest the executive global groups from all three domains into a universal group named enterprise management. Now you can nest the two universal groups into any appropriate domain local groups that are allowing access to the shares. For example, if both managers and executives need access to a share in domain1, you'll nest both universal groups into the domain local group in domain1. All other combinations of grouping and nesting are wrong. For example, putting all managers and executives into one global group named management will not work whenever you have a resource that is available only to managers. It won't work on a forest scale either because when you nest the global group management into the universal enterprise group, it won't work for resources that are available only to managers of the forest. In the solution that creates global groups of executives and managers called management for each domain, you have created unnecessary groups.

If the schema is modified to remove classes or attributes, the Active Directory objects will remain. To get objects of a deactivated class removed, you should perform a search of Active Directory and then delete them. Replication will not remove objects of deactivated classes and attributes. ADSIEdit will not remove objects of deactivated classes and attributes. ADSIEdit is the interface tool for the ADSI. The ADSI uses a standard set of interfaces that client applications can access without getting into the details of the data store and protocols of directory services. Active Directory does not automatically remove or stop replication of objects of deactivated classes or attributes.

Some group policy items can only be set once for each domain. Password and account lockout policies are examples of this. If different groups within the company require different password or account lockout policies, it will be necessary to give each group their own domain. This is one of the most critical things to check for when designing a company's Active Directory structure. Windows 2000 Help, Search for the articles entitleD. Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

The scenario mentions that there are currently three account domains, and that each of these will be upgraded. We also know that these account domains will not be consolidated. There are also resource domains, however these will be going away and will not figure into the final design.Because of this, four domains will be needed. An empty root (BOMBSNROCKTES.COM) will be created to hold the other three domains. Because BOMBSNROCKETS.COM is taken for the empty root, the BOMBSNROCKTES corporate account domain must be placed in a sub domain (CORP). In addition, there are two other account domains (TANKSNSTUFF and FIGHTERSNSTUFF) each of which will need their own Active Directory domain.Windows 2000 Help, Search for the articles entitleD. Planning your domain structure; Understanding domain trees and forests; and Planning organizational unit structure.

You can cause a two-way transitive trust to be established with the option that the new domain you are creating will be a new domain tree in an existing forest. You use this design when you want to create a second domain tree in the forest because the root domains of the trees have non-contiguous domain names. You do not manually set up a Kerberos V5 trust relationship between the two existing trees. Instead, you allow Kerberos to manage the trusts by simply indicating this new domain tree will be part of an existing forest. You never manually configure the Key Distribution Center (KDC) of each root domain to trust a foreign Kerberos V5 realm. "Realm" in Kerberos terminology is the "domain" in Active Directory terminology. A foreign realm refers to a non-Windows 2000 Kerberos realm.
It is possible to set up explicit trusts between foreign realms, UNIX and Windows 2000 for example. Since the two trees of this scenario are both in the same Active Directory forest, and you are initiating the basic transitive trusts between them, you do not begin by setting up explicit trusts, which are also called shortcut trusts. The explicit trusts are set up once the second domain tree is part of the forest. And, explicit trusts will only be set up if the trust path proves to be slow for some particular group or groups in one domain attempting to reach some specific resources in another domain in another tree.

You should recommend that S&S use a delegated DNS subdomain for the Active Directory root domain and the internal resources defined as Active Directory objects. This will help insure that there is no access to internal resources from the Internet. You should not recommend that S&S use the same DNS domain name for internal and external resources and the Active Directory root domain since you want to prohibit access to internal resources from the Internet. You should not recommend that S&S use a new DNS domain name for the Active Directory root domain and for internal resources and the existing DNS domain name for external resources. There is no business reason to use a separate DNS name for the Active Directory root domain and for internal resources. Instead, a subdomain of the existing DNS domain name should be used for the Active Directory root domain.
There is no reason given to use the existing DNS domain name for the Active Directory root domain and for resources at the corporate office and a new DNS domain name for each hotel. Based on the IT support structure, a single Active Directory domain will help to reduce administrative complexity. Organizational Units (OUs) can be implemented to organize Active Directory objects by hotel, if needed. 1.3.4. Analyze factors that influence company strategies. Identify the company's tolerance for risk. 3.2.1. Design an Active Directory naming strategy. Establish the scope of Active Directory.

You should configure a DNS zone for the Active Directory root domain on a domain controller in the root domain that is running the DNS server service and delegate a subdomain for the appropriate Active Directory domain for each country to a computer that is running the DNS server service in that country. You should then promote that computer to a domain controller for the appropriate domain and convert the DNS zones to Active Directory-integrated zones. Since the zones are to be Active Directory-integrated zones and the DNS data is kept in the domain partition of Active Directory, you want to make data for the related zone available in each Active Directory domain. You should also install the DNS server service on each domain controller so that each domain controller can respond to DNS queries and update requests. You should not configure the zones for all domains on a domain controller in the root domain that is running the DNS server service.
Since the DNS data is replicated as part of the domain partition, the DNS data will not be available on the DNS servers in the child domains. You should not configure a single DNS zone on a domain controller in the root domain that is running the DNS server service, create subdomains for each Active Directory domain in this zone, and install the DNS server service on a domain controller in each Active Directory domain. Since the DNS data is replicated as part of the domain partition, the DNS data will not be available on the DNS servers in the child domains. You should not configure each domain controller in the forest that is running the DNS server service to host a zone for each domain in the forest. Since the DNS data is replicated as part of the domain partition, the DNS data will not be available on the DNS servers in the child domains. 3.2.3. Design an Active Directory naming strategy. Plan DNS strategy.

Based on the background information provided by the company, these are the best reasons to recommend a Windows 2000 network to the company.

You should design the top-level OUs based on the computer and networking support structure. Since there is an IT staff for each division, you should create an OU for each division. You should not design the top-level OUs based on the company management structure. Neither the fact that each division is managed by an Executive Vice-President nor that each business unit is managed by a General Manager should drive the top-level OU design. You should not design the top-level OUs based on how departments are structured unless the computer and networking support structure aligns with the departments. 2.2.3. Analyze the impact of Active Directory on the existing and planned technical environment. Analyze technical support structure. 3.3.1. Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure. Develop an OU delegation plan.

Contoso.com has two separately managed DNS zones with the same name, contoso.com. This method requires a lot of administration as two zones are being maintained and probably the web server and ftp server are being mirrored to the private, internal, side. A separate internal DNS name is not being used to represent the Active Directory root domain. They are both using contoso.com. Internal names (for intranets) are not set up as aliases. They must have an authentic DNS domain name. However, an alias can be used if a host resource record (A) exists to which the alias refers. Forwarding requests from the public DNS server to the internal DNS server is not a correct procedure.

The SMTP transport method must be used with the office that has no persistent connection. The dial-on-demand RRAS server can perform replication with the company's RRAS server if a connection is scheduled. Once the connection is established, replication using RPCs can occur. It is incorrect to create a site with the nearest LAN location and the Dial-on-Demand location. You cannot include a location with intermittent connections as part of a site that has good connections. You cannot remove the dial-on-demand RRAS server from the office because no allowance was made in the scenario for changing the placement of RRAS servers, only the replication strategy. It is important to have a global catalog domain controller in a site and you probably will make a site at this office. However, you should not remove the domain controller because the question asked about the replication strategy, not the placement of domain controllers.

Defining the business problem or opportunity is the purpose of the vision/scope document. Before a design can begin, the scope document should already be guiding and defining the project. Specifics such as risk contingency plans, documenting the logical network and maintaining the network data required for site design are all details of the design project. They are not part of the vision/scope document, which defines and guides the design project.

You will use Group Policy to reduce the support costs of the distributed computing environment (desktops). Group Policy can be used to manage users' data with folder redirection or offline folders. Software can be installed, maintained, or removed using Group Policy. Users' access to resources can be changed from a central administrative point. Users can be moved to another organization and their desktop environment can change to reflect the needs of the new organizational unit they join. Site topology is a way to manage domain replication. It won't manage the distributed computing environment. Hierarchical domain structures assist in isolating administrative authority or the logon and query needs of users. They don't assist in managing users' desktops or in reducing the costs of managing desktop environments. Software Installation and Maintenance is a component of Change and Configuration Management, which is designed using Group Policy. So it is a wrong answer only because it isn't broad enough to be a complete answer.

You will correctly create OUs for branch offices so that administrators in the branch offices can be delegated authority for their locations. Since software is distributed by job role, you'll need OUs by job role in each branch office. This hierarchy is by location, then function. You will also correctly create an OU and Group Policy object (GPO) for public key policy for the laptops. Since only the laptops need the policy, and since they come from various structures of the organization, you are creating their OU at level one, like the branch offices. Creating the job role OUs at level one of the hierarchy is going to require a lot of redundancy at level two where you create branch offices at level two. Location is properly created at level one. Function is at a lower level of the hierarchy. Don't put the Group Policy object (GPO) for public key policy at each branch office OU. Instead, put the GPO at the highest level possible without unnecessarily including objects that don't need the policy. Creating an OU for each job role, applying a Group Policy object (GPO) for software deployment to the OUs, and applying another GPO for public key policy does not fit with any other answer option to correctly complete the job.

The key to the right answer here is the "scheduled" Exchange upgrade. The Exchange upgrade to Windows 2000 will require modifications to the schema that are Exchange-specific. The three other answers are also issues that should be addressed by the Schema Modifications Policy committee. However, the scenario asks for a judgment call. The fact that the Exchange upgrade is already scheduled means action is required now. ADSIEdit is the interface tool for the ADSI. The ADSI uses a standard set of interfaces that client applications can access without getting into the details of the data store and protocols of directory services. Replication latency is an issue with schema modifications because all domain controllers will be receiving the changes. Sometimes the new object of the Active Directory reaches a domain controller before the class and attribute changes do.
Again, this issue should be addressed by the Schema Modifications Policy committee, but it is not the most critical issue. Schema objects have attributes. To define the attribute of an object, there is an attribute-schema object that sets the properties of an attribute. One of the properties is whether or not an attribute can have multiple values. A committee for schema modifications will probably need to address the necessity of multi-valued attributes of each schema object's attributes.

The Product Manager will serve as customer advocate on your central planning team. If this is an internal customer planning team, then the customer is the corporation of which the central planning team is a part. If this is an outside consulting team, then the customer is the enterprise for which you are contracted to prepare the upcoming Windows 2000 project. Note: the product manager and staff own the vision statement also. The Program Manager of your central planning team sees that resources are provided to the team in order to make the project successful. The Development Manager of the central planning team oversees the technical areas of the design. This person is responsible for the building and/or implementation of the design.
Testing, of course, carries out the testing of all proposed features of the design. This includes the Test Plan and the documents for implementing the testing. User Education's responsibility is to participate in the Active Directory design and then to prepare users for productivity with training. Besides productivity, another goal of user education is to reduce support costs incurred at the help desk. Logistics management works closely with the development manager to prepare for and execute the actual rollout.

Since the accounting department has its own IT staff, you will need to provide an organizational unit (OU) for the accounting department. You will then delegate control of the OU to the accounting IT staff. The unique account restrictions of the research department will be a domain level issue, so this will impact the number of Active Directory domains. The corporate business requirement is to have central management of systems. This means you must design a way for IT administration to be centralized. This means the authority will be at the domain level. The intranet will not impact the Active Directory design. Printers' locations, local and networked, do not impact the Active Directory hierarchy design. The type of cabling used for LANs is not a factor in Active Directory hierarchy design. Printing of business forms is not a factor in Active Directory hierarchy design. Things you should consider that are going to affect the design of your Active Directory are the name of the root domain and is it an Internet presence, the schema policy required, additional domains - and related hardware expenses - required at a future date, and the physical features of your network.

Since password requirements are at the domain level by architectural design of the Active Directory, you will be creating new domains for each unique password requirement. Therefore, correct answers require multiple domains. Two of these answers have multiple domains, the forests with either a single tree or multiple trees. All single domain answers fail to satisfy the password requirement.

You should enable EAP to provide support for smart card authentication. Enabling EAP provides support for the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol, which is used for smart card authentication. MS-CHAP can be used as an authentication protocol for a remote access server, but it does not support smart card authentication. MS-CHAP v2 can be used as an authentication protocol for a remote access server, but it does not support smart card authentication. CHAP can be used as an authentication protocol for a remote access server, but it does not support smart card authentication. 2.1.7. Evaluate the company's existing and planned technical environment. Analyze security considerations.

You should use the utility addusers.exe with the /d switch. The /d switch allows you to dump user and group accounts from a Security Accounts Manager (SAM) database to a comma-delimited file. You can then use addusers with the /c switch to create accounts in Active Directory using the comma-delimited file as your data source. You use the Security Migration Editor to map users and groups in a mapping file to new users and groups. You use the utility showaccs.exe to create the mapping file of all the users and groups that appear in Access Control Lists (ACLs) on a computer. You use the utility SIDWalk.exe as the final step in migrating permissions from one domain to another domain. SIDWalk uses the data in the mapping file after the file is processed by the Security Migration Editor. You use the utility NetDom.exe to migrate computer accounts from one domain to another. 1.3.4. Analyze factors that influence company strategies. Identify the company's tolerance for risk. 3.7. Design an Active Directory implementation plan.

After the functional specification document is prepared, the next step is to test the design. The functional specification describes exactly what the project is expected to include and what deliverables are promised. It is the guide for the remainder of the project: testing, development, user training, and the logistics of implementation. Creating the deployment plan is the responsibility of the Project Manager's staff. It is not the next step after the functional specification is ready because testing is the next step. Creating the first domain controller in the organization's forest is a deployment step, which falls under Logistics Management. Developing a group policy plan, along with the schema design, domain structure, administrative authority, and site topology all occur before the functional specification.

Specifying permissions and Group Policy at the highest OU possible and allowing them to flow down the hierarchy by inheritance is the recommended way to apply management of Group Policy, both from the administrative viewpoint and the assignment of policy viewpoint. This is the efficient way to make use of the hierarchical design. "Highest OU possible" does not mean put all the GPOs at the domain level or site level, so the answer that applies all policy at the domain level is wrong. To apply the policy at the highest level possible means applying it to all OUs that contain objects to which the policy pertains. If a higher level OU has objects that don't get the policy, then apply it on an OU one level lower. The exception, of course, is when you can't avoid objects receiving certain policy. In this case you will use filters to exempt those groups from the policy.
The answer that puts permissions at the OU level and all GPOs at the domain level is alluding to the filter concept; however this answer is incomplete and wrong. Specifying permissions and Group Policy at the OU level and blocking inheritance is an incomplete and therefore wrong answer. Note: blocking of inheritance is correctly done at the OU level. However, the answer is wrong because it is incomplete.

You should use the Replication Monitor utility (replmon). Replmon allows you to display a graphical representation of the replication topology. You can also use replmon to force replication to occur between replication partners. You use the Active Directory Sites and Services console to view and manage the connection objects for domain controllers. The connection objects define the other computers from which a computer receives data, but you cannot readily view the domain controllers to which a computer sends replication data. You use the Active Directory Domains and Trusts console to view domains in an Active Directory forest. It also allows you to view and manage trust relationships between domains. You can use this console to convert a domain to native mode. You use the dsastat utility to compare the naming contexts on two domain controllers to see if they are consistent with each other. 3.5.1. Design an Active Directory site topology. Design a replication strategy.

You should create a global security group for each customer and add the user accounts for the production employees who are working on customer jobs to the appropriate global group. Create a domain local security group for each job. Add the global group defined for the appropriate customer to the domain local group for the job. Assign the domain local group the NTFS Read permission for the customer data for the job. Since each employee works on all jobs for a customer, grouping the employee accounts by customer simplifies giving access to the data for each job. Creating a domain local group for each job simplifies granting permission to the data if the data for jobs are stored on different servers. The recommended procedure is to gather user accounts into global security groups, create domain local groups to which you assign rights and permissions, and then add the global groups to the appropriate domain local groups.
You should not create a universal security group for each job or for each customer. Since all of the Production employees are members of the same domain, you do not need to use universal groups. Also, the membership of a universal group is replicated to all global catalog servers, so you should avoid creating universal groups whose membership is subject to change frequently. You should not create a global security group for each customer and a global security group for each job, nest the customer global group into the job global group, and assign the Read permission for the data to the global group for the job. Permissions should be assigned to domain local groups, not global groups. 1.3.3. Analyze factors that influence company strategies. Identify relevant laws and regulations. 2.1.7. Evaluate the company's existing and planned technical environment. Analyze security considerations.

You should recommend that three top-level OUs be created, one for each division. You should also recommend that within each top-level OU, an OU be created for each region. This aligns with the distribution of IT teams. You should consider the IT department responsibilities when designing an OU hierarchy. The OU hierarchy can be used to delegate responsibility to the appropriate individuals. You should not design the OU hierarchy based on the company management model if the computing administration model does not align directly with the business model. The corporate-level IT team in the F&T division is responsible for company-wide policies and procedures. They can implement these at the domain level.
You should not recommend that five top-level OUs be created, one for corporate and one for each region, with an OU for each department in each of the top-level OUs, since the IT support structure does not map to this structure. You should not recommend that eight top-level OUs be created, one for F&T and one for each department, with an OU for corporate and an OU for each region in each of the top-level OUs. The IT support structure does not map to this structure. You should not recommend that a top-level OU be created for each store with each top-level OU containing an OU for F&T and one for each department. The IT support structure does not map to this structure. 1.3.2. Analyze factors that influence company strategies. Identify the projected growth and growth strategy. 3.1.2. Design an Active Directory forest and domain structure. Design a domain structure.

You should recommend that GoShop implement a single Active Directory domain. Since the scenario does not mention any unique password or account requirements, a single domain should be implemented. Whenever possible, Active Directory should be implemented as a single domain both for ease of administration and for flexibility. The corporate management team wants a computer environment that supports future growth, and a single domain can support that growth as well as provide flexibility. You should not recommend that five domains be createD. one domain for the corporate office and a child domain for each region.
There are no special requirements or needs mentioned for each region that would support creating more than one domain. You should not recommend that a domain be created for each of the three divisions. There are no special requirements or needs mentioned for each division that would support creating more than one domain. You should not recommend that two domains be created, one for the corporate office and one for all of the stores. There are no special requirements or needs mentioned for the stores that would support creating more than one domain. 1.3.1. Analyze factors that influence company strategies. Identify company priorities. 3.1.1. Design an Active Directory forest and domain structure. Design a forest and schema structure.

You should specify one primary DDNS server for the Active Directory namespace somewhere on the network. There should be one secondary DDNS on each IP subnet. This is for fault-tolerance and good performance when clients request name resolution service. A caching-only server should be specified for the remote end of a slow WAN link. Caching-only servers don't create DNS replication traffic because they only remember the name resolutions that were resolved already and they prevent these requests from being duplicated. Caching-only DDNS servers do not replicate with the primary DDNS server. It is an incorrect design strategy to put one secondary DDNS server in each Active Directory site. Standard zone replication is unrelated to Active Directory sites.
Directory-integrated primary zones are related to Active Directory sites because they are replicated with Active Directory, which is bound by sites. It is also incorrect to base the placement of DDNS servers on the DNS domain. Servers are not placed based on namespace, they are placed to provide accessibility to clients and to provide distribution of the server workload. Note: staying with standard DNS instead of a directory-integrated service is a solution when a company has multiple NT 4.0 servers and/or Windows 2000 member servers which will host the DNS service because these can only be secondary name servers in a directory-integrated service. To integrate a DNS zone into Active Directory, you must run DNS on a domain controller. And, only primary zones can be directory-integrated.

This company's business model suggests IT administration by organization. They will want to continue the administration of each subsidiary by its own staff. Organization is a stable model for administrative hierarchy in this scenario because it is unlikely that the subsidiaries will be reorganized. Even though the IT department is well structured, suggesting central administration, the subsidiaries are inappropriate models for network management by geographically dispersed locations, then by function. The hierarchy by location and then organization is appropriate when the company's administrative structure is by organization, and that organization is distributed widely by geographic location.
You can create domains by location and represent organization with organizational units. Developing the administrative hierarchy by organization and then location is appropriate when the physically distributed business units have a need for distinct security policies. The separate domains allow for different security policies, and the organizational unit division provides the division by location within the security boundary of the domain. For example, manufacturing can be one domain with multiple locations represented by organizational units. Another department can be a second domain with multiple locations represented by organizational units.

You want to configure Group Policy so that when a slow link is detected, the policy will not be applied. Certain policy settings can be set for slow link detection; some cannot. So, the correct choices from the answers provided are Logon/Logoff and Startup/Shutdown Scripts and Folder Redirection. Their settings can be changed so the policy will only be applied when adequate network bandwidth is available. Two other types of policy that work similarly because they can be set to work only when adequate bandwidth is available are Software Installation and Maintenance and Internet Explorer Maintenance. Regardless of the network link speed, there are other policies than will be applied to the computer account and/or user account upon authentication request to the domain. They are Security Settings and Administrative Templates.

Full control will be required for the administrators in the branch offices. Their responsibility includes setting security and software policies. Full control allows them to create and delete all child objects in their own branch's OU, plus the Read and Write permissions. Change is a share permission set in Windows Explorer on a shared folder. Create, delete and manage user accounts is a permission option that the Delegation Wizard offers. This wording is not available on the Securities tab (permissions) of the Active Directory object. In either place, managing user accounts is not adequate authority for the local administrators. Create all child objects is an option of the Securities tab (permissions) of an Active Directory object. However, it is not adequate authority for the local administrators. Write permission isn't adequate authority for the local administrators who are in charge of software and security policies.

To modify the setting of the software policy, the help desk staff needs Write access permission on the GPO created for the Sales OU. They will not have the authority to create GPOs, just to modify the GPO created for the Sales OU. The administrative control of the GPO defaults to the built-in administrator groups. They get Read, Write, Create all Child Objects and Delete all Child Objects by default. If you want a non-administrative person to modify the settings of the GPO, you will need to add them to the discretionary access control list (DACL) and add the Write permission. Read is applied by default when you add this group. You do not give the help desk staff Full Control permission or Write access to all objects in the domain. This is too much power. You do not add them to the Account Operators security group for the purpose of authorizing them to modify the Sales GPO. In the new Active Directory architecture, delegation of authority can be much more specific and narrow in authority, compared to the NT default groups such as the Account Operators security group allowed.

A second domain tree for firstnews.com will allow you to keep each organization's DNS name. When you add the second domain tree, you identify the forest root domain, which is publications.com. That allows the transitive trusts of the forest to be set up automatically. A second forest for the news radio company is not the correct way to keep each organization's DNS name. Explicit external trusts will have to be set up between the domains of the two forests. You cannot incorporate the second company's DNS name into the current Active Directory and maintain the existing paths to their resources. Therefore a child domain of publications.com is incorrect. To create an empty root above publications.com and firstnews.com would be a restructure of all domains. So this is an incorrect answer.

The vision and scope statement is a document prepared before the Active Directory design begins. This is the correct place to include the total cost of ownership data because this is where the expectations are set. One of the major reasons for deploying Windows 2000 is to reduce the cost of the technology infrastructure. Consensus of the vision is necessary because without executive buy-in, the Active Directory project will not have the required support needed for deployment. The cost of ownership data justifies the effort and expense the project will entail. The testing specifications are not the correct place for total cost of ownership. In the testing labs, the network and applications will be benchmarked against the expectations of the design. Cost is not justified here; technology is tested. The functional statement is not the correct place for total cost of ownership data. The functional statement is the blueprint of the Active Design. It directs the everyday work, and it is modified as needed during the phases of the project. The risk assessment document is a working document, just like the functional statement. It must be updated during the phases of the project. It is not the correct place for the total cost of ownership. Justification for a new project, including reduction of costs, rightfully belongs in the vision and scope documentation.

The domain is the security boundary. If you find that somewhere the rules will be applied differently, then a new domain should be created. One possible reason is because the domain will be administered by a different group. Another possible reason for creating a new domain is that the password and account lockout will be handled differently. Since these two are set at domain level, a new domain is the only way to implement a different policy. The size of the Active Directory is no longer an issue like it was when the SAM database had a size limit. The Active Directory database is extensible because of its domain partitions. If you find businesses need to have departmental resources managed by departmental employees, you will implement this requirement with organizational units, not domains. Physical network issues, like slow links, are managed with sites, not domains.

The Active Directory root domain is the beginning of all locator services for the corporate directory. If the company ever wishes to use the corporate identity as an Internet presence, it will want the name of its internal Active Directory root domain to be available Internet-wide. Registering the corporate Active Directory root name will assure no one else registers it first for use on the Internet. Each DNS domain does not require an Active Directory name. One Active Directory can serve for all the DNS zones in the corporate namespace. The ICANN registered name represents the corporate root domain level. This refers to the DNS namespace and now with Active Directory services, it also represents the root domain of Active Directory. The company has the authority to manage all zones within its DNS namespace. Internal DNS servers are not required to have a globally unique registered name with ICANN. Servers are identified within the namespace hierarchy.

To switch a computer running Terminal Services from remote administration mode to application server mode, you must use the Add/Remove Windows Components choice in Add/Remove Programs. When you select Next from the Windows Components Wizard dialog box, you will be prompted to select the mode for Terminal Services. You use Terminal Services Configuration in Administrative Tools to create and configure connections on the Terminal Server. You also use it to manage settings for the server. You use Terminal Services Manager in Administrative Tools to monitor Terminal Services users, sessions, and processes. If you run Terminal Services Manager from a client session, you can remotely control the sessions of other users. You use the Network and Dial-up Connections window in the Control Panel to add dial-up connections, configure existing connections, and install additional networking components. 2.2.2. Analyze the impact of Active Directory on the existing and planned technical environment. Identify existing and planned upgrades and rollouts.

You should recommend that a single site be created. Since all stores and distribution centers are connected to Springfield via a T1 line and the current network has about 20% utilization, there is enough bandwidth available to support intra-site replication among all domain controllers. Configuring a single site will help to reduce latency between domain controllers in the domain. Since there are IT team members at each distribution center, there should be a domain controller at each distribution center to facilitate system administration. Since there are employees from all divisions at each store, there should be a domain controller at each store to optimize logons. Even with a single site, logons will tend to be handled by a domain controller near each user if subnet prioritization is enabled. With subnet prioritization, when a client receives multiple host (A) records from a Domain Name System (DNS) server in response to a query, the client reorders the A records so that any A records on the same subnet as the client are at the top of the list. The client then attempts to contact the computers in the order in which the records appear in this list.
By default, subnet prioritization is enabled for the resolver on computers running Windows 2000 Professional and Server. You can also configure the DNS server service to use subnet prioritization to order records before returning them to a resolver. You should not recommend that a single site be created with all domain controllers located in Springfield. You should place domain controllers in the distribution centers to support the IT team members at the distribution centers. You should place domain controllers at each store to optimize logons for the users at the stores. You should not recommend that five sites be created, one in Springfield and one in each region. Since the current bandwidth is only at 20% utilization, you can support intra-site replication among all locations. You should not recommend that one site be created for Springfield and one for each store. Since the current bandwidth is only at 20% utilization, you can support intra-site replication among all locations. 2.1.4. Evaluate the company's existing and planned technical environment. Analyze performance requirements. 3.5.2. Design an Active Directory site topology. Define site boundaries.

You should recommend that the DNS zone for goshop.com be configured as an Active Directory-integrated zone and that the DNS server service be installed on each domain controller. You should also recommend that each DNS client computer be configured to use a DNS server on its subnet. Configuring the DNS zone as an Active Directory-integrated zone allows you to replicate DNS resource records along with other Active Directory information. Since only the attributes that have changed are replicated, there will be even less DNS replication than with the Incremental Zone Transfer (IXFR) feature of DNS. IXFR replicates only DNS records that have changed, but it does replicate the entire record, not just the modified attributes. Installing the DNS server service on each domain controller allows the domain controllers to respond to DNS queries and registrations. Although all the DNS data is stored on each domain controller in a domain when a zone is Active-Directory integrated, a domain controller cannot respond to requests unless the DNS server service is installed on the domain controller. You should not configure the goshop.com as a standard primary zone on a DNS server in Springfield. This does not allow you to take advantage of Active Directory replication. You should not install the DNS server service on computers at the distribution centers or at each store and configure these computers to host a standard secondary zone for goshop.com.
puter hosting a standard secondary zone can respond to name queries but cannot create new resource records or process updates for existing records. Updates and new records are processed by the computer hosting the standard primary zone. If you configure the DNS servers at the distribution centers or stores to host a standard secondary zone, all registration requests must be sent to the server hosting the standard primary zone. You should not install the DNS server service on computers at each store and configure those computers as caching-only servers that use the domain controller in Springfield as a forwarder. Again, this does not allow you to take advantage of Active Directory replication. A forwarder is a DNS server to which other DNS servers send requests that cannot be answered from information available in the local DNS server's cache or zones. 1.3.5. Analyze factors that influence company strategies. Identify the total cost of operations. 2.1.1. Evaluate the company's existing and planned technical environment. Analyze company size and user and resource distribution. 4.4.1. Design the placement of DNS servers. Considerations include performance, fault tolerance, functionality, and manageability.

Since each copy center at a customer location has a dial-up connection over a leased line to the main office for the appropriate division, you should enable Routing and Remote Access on a server at the main office for each division. You should not enable Routing and Remote Access on a server at the TS business unit office in each remote city where CCS customers have copy centers to support the CCS employees because the copy centers do not have a dial-up connection to those offices. You should not enable Routing and Remote Access on a server at the headquarters office to support the CCS employees since the copy centers do not have a dial-up connection to that location. You should not enable Routing and Remote Access on a server at the headquarters office and on servers at the main office for each division to support the CCS employees since the copy centers do not have a dial-up connection to the headquarters office. 2.1.2. Evaluate the company's existing and planned technical environment. Assess the available connectivity between the geographic location of worksites and remote sites.

You should recommend the following: Create two GPOs, one for the domain for FI-Print and one for the domain for PSC. In the GPO for FI-Print, assign the application to computers. (Since the application is required by all users in the domain for FI-Print, assigning the application to computers will insure that the application is installed on all computers.) In the GPO for PSC, publish the application. (Since the application is only required by some users in the domain for PSC, publishing it will allow those who need it to install the application using document invocation or Add/Remove Programs.) Create a domain Dfs for each domain. Create a software distribution point for the application and link the software distribution point to the Dfs root for each domain. Configure each GPO to use the appropriate software distribution point. Configure a replica of the software distribution point on a server in each site. (Dfs is site-aware, so client computers will use a replica in their site.)
You could also use the default domain policy to implement software distribution. Many organizations prefer to create separate GPOs for software distribution. You should not create a GPO for each site and configure the GPO to publish the application. Since all users in the domain for FI-Print require the application, it is more efficient to assign it to the computers so the application will be installed the next time the computer is restarted. You should not create four GPOs - one each for East-site and Central-site with two for West-site - and publish the application in each GPO. Since all users in the domain for FI-Print require the application, it is more efficient to assign it to the computers so the application will be installed the next time the computer is restarted. Also, you should avoid the complexity of assigning two GPOs to a site and filtering application of the GPOs. You should not create four GPOS, one for each OU in the domain for FI-Print and one for the domain for PSC, and configure the GPOs to assign the application to users. Since only a few users in the domain for PSC need the application, it is more efficient to publish it to those users. 1.3.1. Analyze factors that influence company strategies. Identify company priorities. 2.1.5. Evaluate the company's existing and planned technical environment. Analyze data and system access patterns. 2.3.3. Analyze the business requirements for client computer desktop management. Establish the required client computer environment.

You should configure the laptop computers to synchronize periodically in the background to insure that the data on the server and on the laptops stays current. Since a user does not log off when he or she puts the computer into hibernation, synchronization will not occur if you configure the computer to synchronize only when logging off. You should not configure the computer to synchronize only when logging on, because you want to insure that customer information on both the data server and on the laptops stays updated. You should not configure the laptops to synchronize only when idle. Since the sales reps often have multiple applications open, there is a good chance that the computers will not be idle long enough to trigger synchronization. 1.3.4. Analyze factors that influence company strategies. Identify the company's tolerance for risk. 2.3.2. Analyze the business requirements for client computer desktop management. Identify technical support needs for end-users.

You should Create a Group Policy object (GPO) to manage all desktop settings and to redirect folders for all users in GG-Mfg-Floor to a common location, link the GPO to Mfg-OU, and filter the GPO so it applies only to members of GG-Mfg-Floor. You should always link a GPO to the OU that is closest to the users. You should not link the GPO to the domain. A GPO should always be linked to the domain or OU closest to the objects to be managed by the GPO. You should not configure all user accounts that belong to GG-Mfg-Floor to use roaming profiles and configure the profiles as mandatory roaming profiles. Each time a user logs on to a computer, a copy of the roaming profile is stored on that computer. This will take up much more disk space than using a GPO and redirecting folders to a server.
hould not create the home folders for all users in a shared folder on a computer running Windows 2000 Server, configure permissions so each user can access only his or her folder, and enable offline folders on each of the computers on the manufacturing floor. As with roaming profiles, using offline folders requires more disk storage than it does to keep a single copy on a server. You should not create a security template to configure the desktop settings and use the Security Configuration and Analysis tool to apply the template to each computer. This requires too much administrative overhead as compared to using a GPO. 2.2.2. Analyze the impact of Active Directory on the existing and planned technical environment. Identify existing and planned upgrades and rollouts. 2.3.3. Analyze the business requirements for client computer desktop management. Establish the required client computer environment.

You should insure that subnet prioritization is configured. With subnet prioritization, when a client receives multiple host (A) records from a Domain Name System (DNS) server in response to a query, the client reorders the A records so that any A records on the same subnet as the client are at the top of the list. The client then attempts to contact the computers in the order in which the records appear in this list. By default, subnet prioritization is enabled for the resolver on computers running Windows 2000 Professional and Server. You can also configure the DNS server service to use subnet prioritization to order records before returning them to a resolver. With the round robin feature, the server alternates the order in which A records are sent in response to each request.
The A record that is at the top of the list for one response is moved to the bottom of the list for the next response. The round robin feature does not insure that records from computers on the same subnet as the client are at the top of the list. You should not use the priority value of each SRV record, since all the SRV records for a zone are replicated to all DNS servers for the zone. You cannot configure the priority field for a specific record to have a different value on each DNS server. You should not use the weight value of each SRV record, since all the SRV records for a zone are replicated to all DNS servers for the zone. You cannot configure the weight field for a specific record to have a different value on each DNS server. 1.1.2. Analyze the existing and planned business models. Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making. 2.1.1. Evaluate the company's existing and planned technical environment. Analyze company size and user and resource distribution.

You should create an OU for each city. You should create a GPO with the desired settings and link it to each OU. This will ensure that these settings are applied after the domain GPO is applied. You should not create a GPO with the desired settings and link it to each site. One reason not to do this is that any settings in a domain-level GPO would override the same settings in a GPO linked to the site. A second reason is that site-level settings would be applied to computers used on the network in each site by trainers who need to travel to a city away from their home offices. This may produce an undesired result. You should not create policy templates for each combination of settings and use Security Configuration and Analysis to apply the appropriate template to each employee's computer. This approach involves too much administrative overhead, since the initial configuration and any modifications would need to be applied individually to each computer. You should not create a GPO for each combination of settings, link the GPOs to the domain, and filter the GPOs by group. When multiple GPOs are linked to a domain, the time it takes a user to log on can be unacceptable as each GPO is analyzed to determine if it should be applied to that user. The use of Group Policy filtering should be minimized. 2.3.3.
Analyze the business requirements for client computer desktop management. Establish the required client computer environment. 3.3.3. Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure. Plan policy management for client computers.

You should configure a computer running Windows 2000 Server as a caching-only DNS server at each remote office and at the main office. Since there are only 50 employees at each remote office and there will be a 56 Kb connection to the Internet for each office, the caching-only server can help optimize name resolution requests by responding with information cached on that server. Configuring the computer as a caching-only server will avoid the overhead of zone transfer traffic. You should not configure computers running Windows 2000 Server as caching-only DNS servers at each remote office and at the main office and then configure these computers to use the domain controller at the division's main office as a forwarder. Since there will be a 56 Kb connection to an ISP at each remote office, the DNS servers can access external DNS servers directly rather than use a forwarder.
A forwarder is a DNS server to which other DNS servers forward requests that cannot be answered from information in the local DNS server's cache or from zones defined on the local DNS server. You should not configure the DNS server at each remote office as a secondary DNS server for the FI-Print zone. Since most online communication among employees occurs within a division, there is little need for employees in each remote location to have a local copy of the entire DNS zone for the Active Directory domain. Too much traffic would be generated by the zone transfers between each remote office and the main office for the division. You can configure a DNS server that is not a domain controller as a secondary DNS server for an Active Directory-integrated zone, but that is not needed in this situation. 2.1.3. Evaluate the company's existing and planned technical environment. Assess the net available bandwidth. 4.4.1. Design the placement of DNS servers. Considerations include performance, fault tolerance, functionality, and manageability.

You should delegate the authority to create printer objects in East-TS-OU to Plot-Print-MGT. Since the existing plotters and printers will remain configured on the UNIX servers, Active Directory objects must be created for these plotters and printers to allow users to search the Active Directory for them. You print to a UNIX printer by installing Print Services for UNIX on a computer running Windows 2000 Professional or Server and then adding a printer that uses an LPR port configured to send requests to the UNIX printer. You should not create a separate OU for printer objects in East-TS-OU since this adds to the complexity of your OU hierarchy. You should minimize the nesting of OUs. You should not create a separate OU for the Production department in East-TS-OU since there are no other requirements noted that require Active Directory objects for the Production department to be administered separately. You should minimize the nesting of OUs. You should not delegate the authority to create printer objects in East-Division-OU to Plot-Print-MGT, since East-Division-OU also includes East-CSS-OU. 1.3.1. Analyze factors that influence company strategies. Identify company priorities. 2.1.6. Evaluate the company's existing and planned technical environment. Analyze network roles and responsibilities.

You should use the dsastat utility to compare the naming contexts on two domain controllers to see if they are consistent with each other. You can also use dsastat to compare data in a domain partition of a global catalog server to determine if it is consistent with the data in the domain partition of a domain controller in that domain. You use the Replication Monitor utility (replmon) to display a graphical representation of the replication topology. You can also use replmon to force replication to occur between replication partners. You cannot use replmon to compare the data in the domain partitions on two domain controllers. You use the Active Directory Sites and Services console to view and manage the connection objects for domain controllers. You cannot use the Active Directory Sites and Services console to compare the data in the domain partitions on two domain controllers. You use the Active Directory Domains and Trusts console to view domains in an Active Directory forest. It also allows you to view and manage trust relationships between domains. You can use this console to convert a domain to native mode. You cannot use this utility to compare the data in the domain partitions on two domain controllers. 2.2.4. Analyze the impact of Active Directory on the existing and planned technical environment. Analyze existing and planned network and systems management.

You should authorize DHCP-Corp in Active Directory. The Windows 2000 DHCP server service will shut down if the server on which it is running is not authorized in Active Directory. You do not need to add the computer account for DHCP-Corp to the security group DnsUpdateProxy to enable clients to locate DHCP-Corp. You add the computer account for a DHCP server to this group if you have enabled secure dynamic updates on a Domain Name System (DNS) zone and you do not want the DHCP server to become the owner of records it registers in the zone. You do not need to remove and reinstall the DHCP server service on DHCP-Corp. You can upgrade a computer running the DHCP server service to Windows 2000, but you must then authorize the computer in Active Directory. You do not need to stop and restart the DHCP server service after you join a computer to a Windows 2000 domain. 2.2.4. Analyze the impact of Active Directory on the existing and planned technical environment. Analyze existing and planned network and systems management.

You should recommend that the IT team deploy the DHCP server service on a computer that is not a domain controller. When the computer account for a DHCP server is a member of the group DnsUpdateProxy, no security is set on a resource record for a host when the record is registered by the DHCP server. This allows the client computer to become the owner of the records when the client computer is upgraded to Windows 2000 and attempts to update its resource records. However, if the DHCP server is also a domain controller, none of the DNS records registered for the domain controller will be secure either, which is why DHCP should not be deployed on a domain controller.
It is acceptable to deploy DHCP and Terminal Services on the same computer. It is acceptable to deploy DHCP and RRAS on the same computer. RRAS can be configured to use DHCP-assigned addresses for remote or VPN connections whether RRAS and DHCP are on the same server or on separate servers. It is acceptable to deploy DHCP and DNS on the same computer. In this scenario, since only secure dynamic updates are allowed, the DNS zone must be an Active Directory-integrated zone. In this case, the most efficient way to deploy DNS is to install the DNS server service on domain controllers. However, you can deploy DNS on a non-domain controller and configure the server to be a secondary server for the Active Directory-integrated zone or to be a caching-only server. 2.1.7. Evaluate the company's existing and planned technical environment. Analyze security considerations.

Phasing the deployment efforts will help to minimize risks that do materialize. Progressing in phases allows time for repair and adjustment. It also allows everyone to learn from the experience before moving into the next phase. Keeping users informed is best at assuring productivity and cutting support costs. You should have a backup plan for deployment which allows you to recover from the deployment events that are going wrong. It is not the best tool for minimizing risks that materialize. Big deployment activities should be scheduled for non-business hours, it is true, but this technique is not best at managing risks that become real events. Scheduling deployment events after hours is best at protecting the production environment.

When the organization requires separate and equal administration for each corporate and subsidiary and also requires separate security for each, then the empty root domain forest design is applicable. The empty root domain can allow only the enterprise administrator to be above all the separate and equal child domains. This administrator can be further secured by only allowing access to the account through such measures as a smart card or through joint access by the child domain administrators. This design will also accommodate the payroll application which is common to all enterprise structures. It is incorrect to make the corporate domain the root domain because the Enterprise Admins would be employees of the publishing corporation and would have access to the proprietary subsidiary information. It is incorrect to use organizational units in a single domain for corporations and subsidiaries that wish to keep their organizations separate and secure from each other.
Members of the Domain Admins group have access to the whole domain. Creating a separate forest for the corporation and each of its subsidiaries is unnecessary because an empty root domain will solve the problem in a straightforward manner. The multiple forests are incorrect because explicit trusts will be required and the forests will not share the same schema and configuration. The global catalogs of the forests would not share information either.

You should choose "Operations Master" from the context menu. From the dialog box that is displayed, you must enable the option "The Schema may be modified on this server." You choose "Permissions" from the context menu to view or modify the permissions on the schema. You cannot modify the permissions unless the option "The Schema may be modified on this server" is selected. You choose "Change Domain Controller" from the context menu to transfer the Schema Master role from the current Schema Master to another domain controller. You choose "Reload the Schema" to refresh the schema cache with information from the disk copy of the schema. 3.6. Design a schema modification policy.

You should recommend that option classes be implemented. You can define a User-defined class for the laptop computers and use the /setclassid switch of the ipconfig utility to set the appropriate class identifier (ID) on each laptop. You can then use this class ID to insure that the laptops receive the correct DHCP configuration. You use superscopes to define multiple logical scopes for a single physical segment or subnet. Superscopes are used when you need to add more addresses to an existing segment but want to continue using the scope that is already defined for the segment. You use reservations to insure that a DHCP client computer always receives the same IP address. A reservation has an unlimited lease by default.
Automatic Private IP Addressing is enabled by default on computers running Windows 2000 Professional or Server. It is used to self-assign an IP address from the network identifier 169.254.0.0 if a DHCP server cannot be located. When an address is assigned using APIPA, the client computer continues to check for a DHCP server. With an APIPA address, a computer will only be able to communicate with other computers on its subnet that have APIPA addresses. 2.3.2. Analyze the business requirements for client computer desktop management. Identify technical support needs for end-users.

You should use the utility Gateway (and Client) Services for NetWare (GSNW) to configure access to file and print services on a NetWare server from a Windows 2000 server. Client computers can then access the file and print resources through the computer running Windows 2000 Server and GSNW. You should not use Client Services for NetWare (CSNW) on the computers running Windows 2000 Professional. Management wants to reduce the use of IPX/SPX and users will only need occasional access to NetWare resources.
If you use CSNW, you must also install NWLink on each client computer that uses CSNW. If you use GSNW, you only need to install NWLink on the computer on which GSNW is installed. You use Directory Service Manager for NetWare (DSMN) to synchronize information between a NetWare bindery and a Windows NT 4.0 Security Accounts Manager (SAM) database. DSMN does not provide access to file and print services on a NetWare server. You use File and Print Services for NetWare (FPNW) to allow NetWare clients to access file and print resources on a computer running Windows 2000 server. FPNW does not allow Windows 2000 clients to access resources on a NetWare server. DSMN and FPNW are part of the add-on product Services for NetWare, which is available from Microsoft. 2.2.1. Analyze the impact of Active Directory on the existing and planned technical environment. Assess existing systems and applications.

When all objects in the initial OU don't require the same administrator, you should divide the OU and delegate control to different administrators. For example, suppose there is a research OU for administering the database. There is a workgroup in the OU that designs graphics for the database. You should create a new OU for the graphics workgroup because they are part of the research department, yet they are not administered by the same administrator that does the database. There are occasions when user accounts from two different departments are correctly grouped in the same OU. An example is when the OU is based on location. The sales and human resources departments may both have employees in a city's OU. This means an administrator will be delegated to manage this OU with user accounts from different departments. Ownership of the objects in an OU has no bearing on how the OU's scope is defined. As administrator, you can easily set permissions based on tasks, rather than on objects. This is not a deciding factor for the scope of the OU. Task-based delegation requires more administrative time and doesn't offer inheritance.

Active Directory-integrated applications know how to modify the schema and will do so if they need new classes and/or attributes. New domains in the forest do not require schema modifications. External trusts to a Kerberos V5 protocol realm do not require schema modifications. External trusts are required when domains are not part of the company's Active Directory forest. The external domains are commonly linked to the company's Active Directory forest when another company is acquired and already has an Internet presence and established domain name. The term "Kerberos V5 protocol realm" refers to a non-Windows 2000 use of the Kerberos authentication protocol. External trusts are manually set up by the administrators when the transitive trusts of Active Directory do not apply. The Active Directory-integrated zones of a DNS server do not require schema modifications.

Identifying the administrative model is the foremost consideration when planning the OU structure of the initial domain. You will be documenting the geographical locations and identifying required groups, including nested groups. You will also be documenting the network structure. The overall priority, however, is to model the OUs so that the business' Active Directory network can be administered easily.

Full Control should be delegated to the Domain Admins group at domain level so they can create the first level of OUs, which is the regional OUs. Full Control should be delegated to selected administrators in each regional level OU. They are then responsible for creating the OU structure of their region and further delegating authority, which will be less than Full Control. The nested OUs below the regional level will not be delegated Full Control to selected administrators. Only two levels of Full Control delegation are required. The domain admins do not need Full Control at the domain controller built-in OU. In fact, no users should be delegated authority at the domain controller OU. There are no users in this OU. Note: Permissions set on the parent OU will be inherited by a child (or nested) OU by default. The domain admins do not need Full Control at the regional level OUs. This is a wrong answer. The domain admins already have Full Control at the domain level. Delegation authority applies to all levels below the level it was applied.

The Active Directory hierarchy that you are designing is first and foremost for accurate delegation of authority for administrative management of the network. The organization chart, the location for facilities, or the flexibility of the business model are not appropriate structures for Information Technology (IT) administration. You can assume the design of the Active Directory is unknown to the users. Although they can see the structure, it does not affect how they get to their resources. So, design for administration. Permissions will be applied to users according to the organizational units where they are contained if a Group Policy defines the file system permissions. For example, user accounts in an organizational unit are grouped into a global group. The global group is nested in a domain local group. The domain local group allows access to the resource. All of this is done after the accurate delegation of authority is structured. The improved user logon times are not the criteria for domain and organization unit hierarchy design. Password and account lockout policy are criteria for domain design because they are only set at the domain level.

The Active Directory root domain is the beginning of all locator services for the corporate directory. If the company ever wishes to use the corporate identity as an Internet presence, it will want the name of its internal Active Directory root domain to be available Internet-wide. Registering the corporate Active Directory root name will assure no one else registers it first for use on the Internet. If the name will not be an Internet presence, there is no requirement that it be registered. It is recommended, however. The ICANN registered name represents the corporate root domain level. This refers to the DNS namespace. And now with Active Directory services, it also represents the root domain of Active Directory. The company has the authority to manage all zones within its DNS namespace.
If the Active Directory root domain name requires changing, it is necessary to reinstall the forest. So, if the company decided to have an Internet presence, and the name of their Active Directory was already registered by someone else, the company would be forced to keep the Active Directory name internal or reinstall the forest. And, they would have to choose another name for their Internet presence. Plans for acquiring other subsidiaries in the future does not justify registering the current DNS domain name with ICAAN. At this time, the subsidiaries' names would not be the Active Directory root domain name for this company. Additional trees do not require that the original domain tree have a registered DNS domain name. The name referenced in the scenario is the name of the company that is planning the first domain tree in the forest.

Delegating the Active Directory subdomain to the Active Directory integrated DNS server will allow any client using the BIND DNS service to locate host names in the Active Directory-integrated subdomain. Upgrading BIND to version 8.2.1 provides Active Directory support for service (SRV) records and dynamic updates. It does not assure that all BIND DNS clients will be able to resolve Active Directory host names unless the DNS domain used for the Active Directory root domain is defined on the BIND 8.2.1 server. It is incorrect to use the Active Directory integrated DNS servers for a secondary zone and put the Active Directory subdomain on the BIND DNS servers. Directory-integrated DNS servers must be Windows 2000 domain controllers because the zone will now become part of Active Directory replication. If you want to use the BIND DNS with Active Directory, the proper procedure is to delegate the following zones used by the locator records: _tcp.companydomain.com _udp.companydomain.com _msdcs.companydomain.com _sites.companydomain.com to a Windows 2000 server running dynamic DNS (DDNS). On the DDNS, create these zones and enable dynamic update on each zone.

The plan for delegating administrative authority is the most important factor. The company organizational chart is never a factor in the design of organizational units. The number of domains in the forest do not affect how organizational units are structured. The physical location of users does not affect the organizational unit design. The organizational unit is purely for administrative use. The physical location of users is a factor for domain controller and global catalog placement and for site design. The speed of the network links between locations is a factor of site design.

The company must have a policy concerning the schema operations master to protect this integral part of the Active Directory. The schema defines the forest. Changes are replicated forest-wide. This impacts the network usage. Business policy should include guarding membership of the Schema Admins group and keeping the schema modification capability disabled during normal business hours. Changes to the schema will not impact processing on domain controllers. The changes will impact replication, however, which indirectly will increase the processing burden on the domain controllers. There is no conflict when the schema operations master and the global catalog server are hosted by the same computer. The schema operations manager is a console. The replication will come from changes to the schema made on the schema operations master. There is no requirement for site placement of this master role. Note: if the schema operations master needs to be moved, take it offline first.

Kerberos, as well as other Active Directory services, will increase the load on the current physical network. Client authentication is not the major increase the network load in Windows 2000 that should be looked at in the design phases. DNS replication will not increase with Windows 2000. In fact, it may improve because Windows 2000 DNS allows for incremental zone transfer. The transitive trust model in an Active Directory forest does not add to the network burden.

The OU design is correctly where you will apply the information about users and resources in your design plans. You will want to delegate the database to the German division and you will want to manage the users' access to the database. For these administrative tasks you will create a database OU or German OU. The domain tree design is not where you will apply the user and resource information. To correctly use information for domain design, you will evaluate domain replication traffic, multiple domain policies, international differences, or decentralized administration. Decentralized administration is an issue when certain locations want to manage all their own administration. In this scenario, the only requirement is that the German division administer the resource. This design could easily be one domain in the forest. The site design is a physical topology designed to manage domain replication. This was not mentioned in the scenario. The DNS replication topology is not determined by the location of users or resources. And, if the DNS is directory integrated, it will use the Active Directory's replication topology.

Although all the administrators own the OU, the individual who took ownership is listed in the discretionary access control list (DACL) as the owner. This is a new feature in Windows 2000. It resolves a security flaw in Windows NT where only the general group name, Domain Admins, was listed rather than the responsible individual. In this scenario, it is the Domain Admins who take ownership, not an individual with Take Ownership permission. The Domain Admins group can always Take Ownership, whereas an individual has to be given Take Ownership permission by the owner or someone with administrative privileges. It is not true that only administrators can take ownership at the domain and organizational unit levels. The System log, viewed by running the Event Viewer console, which is an MMC snap-in, does not document the change in ownership. It shows up by looking at the object's DACL.

By selecting a name that allows users access to all information and resources within the organization, you have set the correct scope for the company's Active Directory root name. You should additionally make sure that it will encompass any organizational growth. While it is important to have a name that is registered for Internet presence, it is not required. It is highly recommended, however, for the same reason the scope is an important choice at the beginning of the design. Once Active Directory is created, it cannot be undone or expanded. Only restructuring will correct a scope that isn't broad enough. It is true the root name should be short enough to work well in fully qualified domain names. However, this is not a correct criteria for choosing the Active Directory scope. A fully qualified domain name means it unequivocally describes the object's place in the namespace. If the name you select represents all products or services the organization provides now and in the future, that name will not necessarily assist the users in accessing the information or resources they need. For example, the organization sells books. Perhaps you should anticipate future growth which might be magazines. So should the name be "publications"? What if the organization develops in the area of international radio instead. Now the Active Directory root domain name no longer represents the objects of the Active Directory. Radio objects are under the publication root name. Perhaps "information" would have been a more accurate scope. You can plan on the life of an Active Directory to be about five years.

The correct answer choice is to remove the schema master from the network and write a script using the Active Directory Services Interface (ADSI). Another way to safely control new changes is to try it in a test environment separate from production, but it was not an answer choice on this question. Scripts are the recommended way to modify the schema because all syntax can be carefully controlled and outcome can be tested before putting the change into production. The schema can also be changed using the Active Directory Schema in MMC. However, these are live changes, therefore very risky. In this scenario, it is also the wrong method because so many changes are required. It is not necessary to restart the domain controller in safe mode when editing the Active Directory or schema using the ADSI interface. ADSIEdit is the interface tool for the ADSI. The ADSI uses a standard set of interfaces that client applications can access without getting into the details of the data store and protocols of directory services. Ntdsutil is a utility that allows you to do authoritative restores from backup or seize master roles when one of the operations masters is in distress, among other things. It cannot be used to modify the schema. R

Membership in Group Policy Creator Owners does not allow a user to link a GPO to a site, domain, or OU, so you should use the Delegation of Control wizard to give the designated IT staff members read and write access to the gPLink attribute of the appropriate OU. You should not use the Delegation of Control wizard to delegate the task "Manage Group Policy links" for the appropriate OU to each designated IT staff member. The task "Manage Group Policy links" includes the ability to both link a GPO to an OU and to block inheritance of GPOs linked to the domain or to a parent OU. You should not use the Delegation of Control wizard to delegate the task "Manage Group Policy links" for the appropriate site to each designated IT staff member.
A site-level GPO would be applied to computers used on the network in each site by trainers who need to travel to a city away from their home offices. This may produce an undesired result. You should not use the Delegation of Control wizard to give the designated IT staff members read and write access to the gPOptions attribute of the appropriate site. Read and write access to this attribute will allow the designated staff members to block inheritance of GPOs linked to the domain or to a parent OU. However, since a site GPO is applied before either a domain GPO or an OU GPO, there is nothing from which inheritance can be blocked. 3.3.2. Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure. Plan Group Policy object management.

You should design Group Policy for servers using either the Domain Controller organizational Unit (OU) or an OU created for servers that are not Domain Controllers. Those policy areas typically applied at Domain Controllers or servers OUs pertain to User Rights, File and Registry ACLs, Local Policy, Administrative Tools, Disk quotas, Printer moving, and user desktop settings. Passwords, Accounts, and Kerberos policy areas are applied at the domain level. Users OUs (not the built-in User container) and computer OUs are the typical place to assign policies for EFS, published applications, assigned applications, scripts, local policy for computers, offline files, Internet Explorer settings, Folder redirection, Desktop lockdown, Offline files, Disk quotas, audit and event logs, user rights, and File and registry ACLs. EFS is the new Encrypting File System that uses Public Key cryptography. A Division OU is not a correct place to set up server group policy. A division OU is required with the OU hierarchy design that uses organization for one of its OU levels. You should not put group policy for servers at a division OU level in a central administration design.

The most likely reason that you cannot add the designated accounts to the Schema Admins group is that the forest root domain is running in mixed mode. The Schema Admins group and the Enterprise Admins group exist only in the forest root domain, but these groups are configured as global groups when the domain is running in mixed mode. A global group cannot contain members from other domains in a forest. When the forest root domain is converted to native mode, these groups become universal groups and can then contain members from other domains. Members of the Domain Admins group in the forest root domain can modify the membership of the Enterprise Admins group and the Schema Admins group. You do not have to be logged on as a member of the Enterprise Admins group to modify the membership of the Schema Admins group. Members of the Domain Admins group in the forest root domain can modify the membership of the Enterprise Admins group and the Schema Admins group. You do not have to be logged on as a member of the Schema Admins group to modify the membership of the Schema Admins group.
Even if the child domains are running in mixed mode, you would be able to add the designated accounts to the Schema Admins group if the forest root domain is running in native mode. 1.2. Analyze the existing and planned organizational structures. Considerations include management model; company organization; vendor, partner, and customer relationships; and acquisition plans. 2.2.4. Analyze the impact of Active Directory on the existing and planned technical environment. Analyze existing and planned network and systems management.

The engineering department's OU is where administration is delegated. Create a Group Policy object (GPO) to specify a registry setting and apply it at this OU. Next, create three child OUs of the parent engineering OU. Each child OU will have a GPO created with the specific requirements for each team. Creating a new domain is only justified if user password or account lockout policy is different for a business unit such as department, division, or geographic location, for example. Domains are security boundaries. If you have a collection of entities that require separate policy and administration, an OU can effectively define them for management, rather than creating a new domain. If you chose to create a GPO for the engineering OU, link the same GPO to each of the child OUs, and then separate them with permissions for applying the policy to each OU, you have incorrectly applied the use of GPOs and inheritance in the hierarchy. Filtering is done with security groups, but this answer suggests using permissions on the GPO to make distinctions for each of the team OUs. Blocking Group Policy at the child OUs will defeat the purpose of have a policy at the engineering OU level.

Establishing the scope of the Active Directory is the task you are undertaking. The company has an existing identity as organizations in a global setting. You must decide how far-reaching the Active Directory scope should be. There will only be one name for the Active Directory root domain, and it should include future growth. For example, fourcontinents.com is limiting. What if The Russias becomes the next set of tours? The Active Directory name would no longer be appropriate. Designing a domain structure is incorrect. When you are ready to design the domain structure, you will determine if each of these four organizations needs a child domain of its own or not. You will also decide how the administrative tasks will be structured as organizational units (OUs) within the domain or domains. Designing an Active Directory site topology is incorrect. The site topology is strictly a physical structure for managing directory replication. Site topology can be determined once the domain and the location of domain controllers is in place. Analyzing the technical support structure is incorrect. This phase of Active Directory design looks at the existing information technology (IT) support and how the company intends for it to function in the new Active Directory. Will it be centralized, delegated in a decentralized configuration or a combination of the two, for example.

You should recommend that site links be created from each business office site to the headquarters office site in a hub and spoke approach. With this design, updates from each city will be replicated to the headquarters office and, from there, replicated to each of the other office location sites. Generally, site links should correspond to wide area network (WAN) links. At BCD Train, each business office has a T1 line to the headquarters office and a T1 line to the Internet. By default, when you create a new site, there is only one site link with which you can associate the site - the default site link, DEFAULTIPSITELINK. When you create a site link, you define the sites that are to be associated with that site link. Once you associate a site with one of the new site links, you should remove that site from the default site link. Alternately, you can create the site links first and then associate each site with the correct site link when you create the site. If you use this method, you associate each site link with the default site, Default-First-Site-Name, when you create the site link.
You should not recommend that two site links be created for each office, one to the headquarters office site and one to the nearest business office site. Replication to the nearest business office site would have to travel across the Internet, so steps would have to be taken to secure the data. This would add overhead to the replication traffic as well as impact the net available bandwidth for Internet communications. You should not recommend that two site links be created for each office to the nearest business office sites. Replication to the nearest business office sites would have to travel across the Internet, so steps would have to be taken to secure the data. This would add overhead to the replication traffic as well as impact the net available bandwidth for Internet communications. This approach would also increase replication latency, as it would take longer to update all sites than it would with the recommended configuration. You should not recommend that a site link be created between each business office site and every other business office site as well as between each business office site and the headquarters office site. Replication to business office sites other than the headquarters office would have to travel across the Internet, so steps would have to be taken to secure the data. This would add overhead to the replication traffic as well as impact the net available bandwidth for Internet communications. 3.5.1. Design an Active Directory site topology. Design a replication strategy.

You should recommend that a domain controller at the headquarters office and the domain controller at each business office be configured as a global catalog server. Since only a single Active Directory domain is to be used, each domain controller will contain a complete replica of the domain partition, so configuring a domain controller as a global catalog server will allow it to use the information in the domain partition to respond to global catalog queries. You do not need a global catalog server at every training center location, since only a few employees access the corporate network from each of the training centers that do not house office employees. These employees can readily access the global catalog server at the business office in their city. You should not install global catalog servers only at the headquarters office. If you do this, all queries for global catalog data must be sent to the headquarters office across the wide-area network connections from each office location. You should not install global catalog servers only at each training center location. As noted earlier, you do not need a global catalog server or a domain controller at the training centers that do not also house a business office. You should have a global catalog server at the headquarters office to respond to global catalog queries efficiently. 4.2.1. Design the placement of global catalog servers. Considerations include performance, fault tolerance, functionality, and manageability.

You should configure DNScorp as a domain controller and convert the standard primary zone to an Active Directory-integrated zone. You should configure a computer running Windows 2000 Server at each business office as both a domain controller and a DNS server. Placing a domain controller at each office will help to optimize logons and minimize logon traffic across the T1 lines. Converting the zone to an Active Directory-integrated zone will help to minimize the overhead of DNS zone transfers, since the DNS updates will be replicated as part of the Active Directory replication process. You should not configure a computer running Windows 2000 Server at each business office as a secondary name server for the existing standard primary zone and configure two computers at the corporate office location as domain controllers. This would require all logon traffic to be sent across the T1 lines and that all updates to the DNS zone be sent over the T1 lines to the primary name server. You should not configure a computer at each business office as a caching-only DNS server and configure a computer at each office location and at each training center as a domain controller.
Although the caching-only server would aid in resolving names for local resources, all updates to the standard primary zone would have to be sent over the T1 line. You do not need a domain controller at every training center location, since only a few employees access the corporate network from each of the training centers that do not house office employees. These employees can readily access the domain controller at the business office in their city. You should not create a separate zone with the resource records for each business office and delegate authority for that zone to a computer running Windows 2000 Server and the DNS server service at each office. This adds too much complexity to the DNS hierarchy. The DNS subdomains in this solution would not match the Active Directory structure that consists of only one Windows 2000 domain. Also, you should not configure domain controllers only at the headquarters office because this would require that all logon traffic be sent across the T1 lines. You would use a delegated DNS subdomain if you had an existing DNS server that hosts the corporate DNS domain name and that server does not support dynamic DNS and service (SRV) records. In that case, you would create a subdomain for the Active Directory resource records and delegate authority for that subdomain to a computer running Windows 2000 Server and the DNS server service. The decisions you make regarding the placement of domain controllers are also tied to your decisions about the site topology. Replication between domain controllers in a site occurs more frequently than replication between domain controllers in separate sites. You should consider the impact of this replication traffic on your network. 4.3.1. Design the placement of domain controllers. Considerations include performance, fault tolerance, functionality, and manageability. 4.4.1. Design the placement of DNS servers. Considerations include performance, fault tolerance, functionality, and manageability.

Security settings and administrative templates are always processed, even if a slow link is detected. Logon/Logoff and Startup/Shutdown Scripts are configured by default not to be processed if a slow link is detected. You can enable settings in these areas to be processed across a slow link. Internet Explorer Maintenance settings are configured by default not to be processed if a slow link is detected. You can enable these settings to be processed across a slow link. Folder Redirection is configured by default not to be processed if a slow link is detected. You can enable folder redirection to be processed across a slow link. 3.3.3. Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure. Plan policy management for client computers.

You must configure the account policy settings in the default domain policy to insure that these settings are enforced for users defined in Active Directory. Domain Controllers enforce the account policy defined in the GPO linked to the domain. Account policy settings in a GPO linked to a site or to an OU apply only to the local accounts on the computers in the site or the OU, not to domain accounts. Settings you configure for Logon/Logoff and Startup/Shutdown Scripts in a GPO linked to a site or to an OU will apply to users and computers in the site or OU. You can also configure scripts in a GPO linked to a domain. You can manage settings in the administrative templates node of a GPO linked to a site, domain, or OU. You can define membership of restricted groups in a GPO linked to a site, a domain, or an OU. 2.3.3. Analyze the business requirements for client computer desktop management. Establish the required client computer environment.

You should recommend the use of Microsoft Directory Synchronization Services (MSDSS), a component of the product Services for NetWare. MSDSS allows you to migrate NDS objects to Active Directory as well as to establish either one-way or two-way synchronization between NDS and Active Directory databases. The product Services for NetWare includes two other utilities: the File Migration Utility and File and Print Services for NetWare. You use the Active Directory Connector to populate Active Directory with information from an Exchange Server 5.5 database and to synchronize the Exchange and Active Directory databases. You use the utility Gateway (and Client) Services for NetWare (GSNW) to configure access to file and print services on a NetWare server. Client computers can then access the file and print resources through the computer running Windows 2000 Server and GSNW. GSNW cannot be used to synchronize objects between NDS and Active Directory. You use the Directory Service Manager for NetWare (DSMN) to synchronize information between a NetWare bindery and a Windows NT 4.0 Security Accounts Manager (SAM) database. 3.4. Plan for the coexistence of Active Directory and other directory services.

You should consider the IT department responsibilities when designing an OU hierarchy. The OU hierarchy is not visible to users, but can be used to delegate responsibility to the appropriate groups and individuals. You should not design the OU hierarchy based on the company management structure since the computing administration model does not align directly with the business model. You should consider the company management structure when designing your security groups and access to resources. You should consider the information flow between employees in both the same and in different departments in each city when designing your local area network infrastructure. You should consider the information flow between employees in the corporate headquarters office and employees in each city that has a training center when designing your wide area network infrastructure. 2.2.4. Analyze the impact of Active Directory on the existing and planned technical environment. Analyze existing and planned network and systems management.

You should create twenty OUs - one for each city in which there is a business office and one or more training centers. Since the IT staff members in each city are responsible for the hardware, software, and networking components for both employees and classrooms in their respective cities, creating an OU for each city will allow control of the Active Directory objects for each city to be delegated to the local IT staff members. As offices and training centers are opened in new locations, the OU model can be easily expanded to accommodate the new locations. You should not create OUs based on each of the vendors for which courses are delivered. Although the sales model conforms to this organization, the IT support model does not reflect this structure. Each local IT staff member is responsible for all class setups, not just those for one vendor. You should not create an OU for the headquarters office and one each for Sales, Training, and Operations. Although the business operations model conforms to this organization, the IT support model does not support this structure. Each local IT staff member is responsible for supporting all employees in his or her respective city, not just those in a functional area.
The IT staff members at the headquarters office are responsible for domain-wide management, so you should not create a separate OU for these staff members to manage. You should not create an OU for each training center, since the training centers in the cities with three training centers are managed by the IT staff members at the business office for that city. You should not create an OU for the headquarters office and one for each city in which there is a business office and one or more training centers. The IT staff members at the headquarters office are responsible for domain-wide management, so you should not create a separate OU for these staff members to manage. The Active Directory objects for users, computers, groups, and resources at the headquarters office can be managed through the domain policies and procedures. There is nothing in the scenario that dictates that a separate OU be created for these objects. 1.3.2. Analyze factors that influence company strategies. Identify the projected growth and growth strategy. 3.3.1. Design and plan the structure of organizational units (OU). Considerations include administration control, existing resource domains, administrative policy, and geographic and company structure. Develop an OU delegation plan.

An administrator must be a member of both the Enterprise Admins group and the Schema Admins group, since the forestprep option makes modifications to Active Directory object permissions and to the schema. It is not sufficient to be a member of just the Enterprise Admins group or just the Schema Admins group. An administrator does not have to be a member of the Domain Admins group in the forest root domain to use the forestprep option. After setup is run with the forestprep option, setup must be run with the domainprep option in each domain in which Exchange servers will be installed. An administrator must be a member of the Domain Admins group of each domain in which setup is run to use the domainprep option. 3.1.1. Design an Active Directory forest and domain structure. Design a forest and schema structure.

You should recommend that BCD Train use the same DNS domain name for internal and external resources and the Active Directory root domain. Since a DNS domain name already exists and there are no business reasons given to have separate names, a single name will work. The only external resource noted is the existing web server. You should not recommend the use of a delegated DNS subdomain for the Active Directory root domain. You use a delegated DNS subdomain for Active Directory if the DNS servers hosting the resource records for the corporate DNS domain name cannot support service (SRV) records and management has decided to continue using existing DNS servers. Since DNS will be installed on computers running Windows 2000 Server, there will be support both for SRV records and for dynamic DNS. There is no business reason to use a new DNS name for the Active Directory root domain and for internal resources and the existing DNS domain name for external resources.
Since the company's locations are connected to the corporate office via T1 lines, a private IP addressing scheme could be used to protect internal resources. External IP addresses can be used for the computers that require access from the Internet. There is no reason given to use the existing DNS domain name for the Active Directory root domain and for resources at the corporate office and a new DNS domain name for each city in which an office and one or more training centers exist. When the email system is expanded to provide support for communication to and from the Internet, all employees can be assigned the same email address suffix, for example: user@bcdtrain.com. You could also create DNS subdomains for each office location and configure email addresses that included the location in the suffix, for example: user@city.bcdtrain.com. However, this would not require a new DNS domain name for each office, just a subdomain of the corporate domain. You must also consider how this integrates with your planned Active Directory domain structure. 2.1.5. Evaluate the company's existing and planned technical environment. Analyze data and system access patterns. 3.2.2. Design an Active Directory naming strategy. Design the namespace.

You should recommend that four global catalog servers be installed, one per site. This will help to optimize queries issued against the entire directory. Also, if the enterprise implements the use of universal security groups, having a global catalog server in each site will help to optimize logons. The global catalog service can be enabled on the domain controller in each site or a second domain controller could be installed to support the global catalog server role. Since each site already has a domain controller from one domain, the only additional replication traffic between sites will be from replication of the partial domain partition of the other domain to the computer configured as a global catalog server. You should not install only one global catalog server in the enterprise. This would require that all queries issued against the entire directory be managed by the global catalog server. This could saturate the network connections between each site and the headquarters office, since these connections are only 128 Kb lines. You should not install only two global catalog servers - one at the headquarters office and one in Boise. This would require that all queries issued against the entire directory be managed by the two global catalog servers. This could saturate the network connections between sites, since these connections are only 128 Kb lines except for the connection between Boise and San Diego, which is a T1 line. You do not need to install five global catalog servers with two in the Dallas area and one in each of the other sites. Although both the headquarters office and the Central division office are in Dallas, they are both in the same site, so one global catalog server can service requests from users in both offices. 4.2.1. Design the placement of global catalog servers. Considerations include performance, fault tolerance, functionality, and manageability.

You should recommend that three sites be created - one per division with the computers in the PSC domain belonging to the site defined for the Western division. You should define sites to help minimize the time it takes a user to log on and to optimize global catalog searches. Since offices within each division are connected to the main office for the division via T1 lines and there will be a domain controller at each main office, defining a site for each division will maximize the likelihood that each user will be validated by a domain controller located in his or her division. This will help to reduce logon traffic across the 128 Kb lines between the main divisional offices. Since the computers for the PSC domain are all situated in one location, the computers should all be a member of the same site.
However, it is not necessary that a separate site be created for these computers. Including the computers in the site created for the Western division will maximize the possibility that client computers will connect to a global catalog server in the Western site for global catalog searches and that domain controllers in the PSC domain will replicate the schema and configuration partitions with other domain controllers in the Western site. This will help to minimize global catalog and replication traffic across the 128 Kb lines. The schema and configuration partitions are the same throughout a forest. You should not create a single site for the entire organization or a single site for FI-Print and another site for PSC. Sites do not need to be aligned with domains. Since the connections between the main offices for each division are across 128 Kb lines, you should configure sites that minimize traffic across these lines. If all the computers for FI-Print are in the same site, logon traffic, global catalog searches, and replication of all partitions will compete for use of the bandwidth. 1.1.2. Analyze the existing and planned business models. Analyze company processes. Processes include information flow, communication flow, service and product life cycles, and decision-making. 3.5.1. Design an Active Directory site topology. Design a replication strategy.

You should recommend two domains, each in a separate tree, with one domain for FI-Print and one for PSC. Since each company already has an Internet presence, you want to establish an Active Directory domain structure that aligns with the existing DNS domain structure. Also, since each company will be managed separately, separate domains are appropriate. You should not recommend a single domain because FI-Print and PSC are managed separately and each already has an Internet presence that should be preserved. You should not recommend five domains in a single tree consisting of a root domain with a child domain for each division of FI-Print and a child domain for PSC.
Since FI-Print and PSC are managed separately and each already has an Internet presence, there should be one tree for FI-Print and one for PSC. Also, there is no need for separate domains for each of the divisions within FI-Print, since there are no business reasons to manage security and domain policies differently for each division. You should not recommend a forest root domain in one tree for FI-Print with three child domains of the root domain for the three divisions of FI-Print and one domain in a second tree for PSC. Domains for FI-Print and PSC should be in separate trees, but there is no need for separate domains for each of the divisions within FI-Print, since there are no business reasons to manage security and domain policies differently for each division. 1.1.1. Analyze the existing and planned business models. Analyze the company model and the geographical scope. Models include regional, national, international, subsidiary, and branch offices. 3.1.1. Design an Active Directory forest and domain structure. Design a forest and schema structure.

You can use the Active Directory Sizer to determine where domain controllers and global catalog servers should be placed. You can also use it to estimate the size of the Active Directory, to estimate replication traffic, and to plan where to configure sites and site links. The Active Directory Sizer is available in the Windows 2000 Server Resource Kit. You use the Active Directory Replication Monitor (replmon.exe) to view the site topology, replication partners, and the global catalog servers for an existing Active Directory implementation. You use the Active Directory Connector (ADC) to populate Active Directory with information from an Exchange Server 5.5 database and to synchronize the Exchange and Active Directory databases.
There are two versions of the ADC: one is delivered with Windows 2000 and one is delivered with Exchange 2000. You use LDIFDE to import data to and export data from an Active Directory. You use Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) files for the data. You use the Domain Manager (NETDOM), a command line utility, to manage machine accounts and trusts in Active Directory. You can also use it to verify secure channel passwords and to synchronize a computer's time with a domain controller. NETDOM is available in the Windows 2000 support tools. 2.2.1. Analyze the impact of Active Directory on the existing and planned technical environment. Assess existing systems and applications. 3.7. Design an Active Directory implementation plan.

You should insure that the infrastructure master role is configured on a domain controller that is not a global catalog server. There is one infrastructure master per domain. It is responsible for insuring that all cross-domain references to an Active Directory object are updated if the name of the object changes. For example, the infrastructure master insures that all groups to which the object is assigned are updated. The distinguished name and the security identifier (SID) of an object will change if the object is moved to another domain. If a domain controller that is an infrastructure master is also a global catalog server, inconsistencies in cross-domain references would not be identified and the updates would not be made. The infrastructure master and the schema master can be safely configured on the same domain controller. There is one schema master per forest. All modifications to the schema are made on the schema master and then replicated to other domain controllers. The infrastructure master and the PDC emulator can be safely configured on the same domain controller.
There is one PDC emulator per domain. In a domain running in mixed mode, the PDC emulator acts as the PDC for the Windows NT 4.0 Backup Domain Controllers (BDCs) in the domain. In domains running in mixed mode or in native mode, the PDC emulator is the domain controller on which updates to Group Policy objects (GPOs) are made by default. Also, in domains running in mixed mode or native mode, the PDC emulator receives immediate updates from other domain controllers when the password for an account is changed or an account is locked out. These changes are then replicated to other domain controllers. The infrastructure master and the RID master can be safely configured on the same domain controller. There is one RID master per domain. The RID master assigns a pool of 500 RIDs to each domain controller. The domain controller then uses the RIDs to insure that each Active Directory object is assigned a unique SID. The RID is part of each object's SID. When there are 50 or less unused RIDs in a domain controller's pool, the domain controller requests an additional 500 RIDs. 1.3.2. Analyze factors that influence company strategies. Identify the projected growth and growth strategy. 4.1.1. Design the placement of operations masters. Considerations include performance, fault tolerance, functionality, and manageability.

In a multiple-domain forest the recommended procedure is to gather user accounts into global security groups, create a universal security group that includes the appropriate global groups from each domain, create domain local security groups to which you assign rights and permissions, and then add the universal group to the appropriate domain local groups. The membership of a universal group is replicated to all global catalog servers, so you should avoid creating universal groups whose membership is subject to change frequently. A good practice is to make global groups members of universal groups. Although user accounts may be added to and deleted from the global groups, the global groups themselves will remain constant. You should recommend that global security groups be created in each domain. Members of each global group should be the user accounts of those who need to update the database from the domain in which the global group is created. You should recommend that a universal security group be created and that the global groups from each domain be added to the universal group. You should also recommend that the universal group be added to the domain local group. You should recommend that the domain local group be assigned the NTFS Read and Write permissions to the database. This will allow users to read the database and add information to it, but will prevent them from deleting the database. You should not recommend that a universal group be created in each domain and that user accounts be added to each universal group. Since those who need access to the database will change over time and you want the membership of a universal group to remain static, only groups should be members of universal groups. You should not recommend that the user accounts of those who need to update the database be added directly to the domain local group. When working with domain local groups, you should take advantage of being able to nest groups. You should not recommend that the domain local group be assigned the NTFS Modify permission to the database. This permission would allow members of the group to delete the database. The ability to delete the database should be limited to the owner of the database. This scenario describes the system-level security strategy. Most database programs also manage security internally. 1.3.3. Analyze factors that influence company strategies. Identify relevant laws and regulations. 2.1.7. Evaluate the company's existing and planned technical environment. Analyze security considerations.

You should recommend that the project team members use CSVDE. Mailbox definitions can be exported from the Microsoft Mail Post Offices to a comma separated values (csv) file and then imported to Active Directory with CSVDE. You should not recommend that the project team members use LDIFDE, since LDIFDE uses Lightweight Directory Access Protocol (LDAP) Interchange Format files. Microsoft Mail does not support LDAP. You use the Active Directory Connector (ADC) to transfer information between an existing Exchange 5.5 organization and Active Directory. You use the Microsoft Mail Connector to transfer email between a Microsoft Mail network and an Exchange 5.5 or Exchange 2000 organization. You need the Microsoft Mail Connector and a Directory Synchronization (DirSync) connector to transfer mailbox definitions from Microsoft Mail to an Exchange 5.5 directory or to an Exchange 2000 organization. 3.4. Plan for the coexistence of Active Directory and other directory services.

You should recommend that four OUs be created, one for each IS team other than the IS team responsible for networking. Since the IS team responsible for networking is also responsible for servers, for determining policies and standards, and for assisting the other teams, members of this team should be granted authority at the domain level. An OU should be created for each of the other IS teams. Within those OUs, other OUs could be created, as needed, for the various departments for which each IS team is responsible. If, at a later date, responsibility for a department changes to another IS team, the OU for that department can be moved to the appropriate top-level OU. You should consider the IS department responsibilities when designing an OU hierarchy. The OU hierarchy is not visible to users, but can be used to delegate responsibility to the appropriate groups and individuals. You should not design the OU hierarchy based on the company management structure since the computing administration model does not align directly with the business model. You should consider the company management structure when designing your security groups and access to resources. You should not create two OUs, one for each Executive Vice-President's area of responsibility, since the IS support structure does not map to this structure. You should not create five OUs, one for each IS team, because the IS team responsible for networking needs authority at the domain level. Creating a separate OU for this team is not necessary. You should not create six OUs, one for each department, since the IS support structure does not map to this structure. 2.2.3. Analyze the impact of Active Directory on the existing and planned technical environment. Analyze technical support structure. 3.1.2. Design an Active Directory forest and domain structure. Design a domain structure.