Designing Active Directory
(Study Guide & Practice Tests)

¡@
Topics on this Page
down Study Guide
down Directory Services Overview
down Analyzing the Company
down Active Directory Architecture
down Practice Tests
down Case Study
down Answers
¡@

by Michael Moncur & Paul Murphy

The following Study Guide and Practice Tests chapters are excerpts of Part 5 (Designing Active Directory) in MCSE in a Nutshell: The Windows 2000 Exams, published by O'Reilly & Associates, Inc. For more information and to order the book, visit http://www.oreilly.com .

¡@

Study Guide Back to Top


This chapter includes the following sections, which address various topics covered on Exam 70-219, Designing A Microsoft Windows 2000 Directory Services Infrastructure:

Directory Services Overview

Discusses the functionality and role of the Active Directory in a business environment. Compares Active Directory to the Windows NT directory model. Describes the major components that make up an Active Directory.

Balancing Technical and Business Requirements

Describes the major focus of this exam: applying your knowledge of Active Directory to design a solution that meets the business needs of any organization, large or small.

Analyzing the Company

Describes how to map an organization using the physical layout, the departmental structure, and the functional structure. It also describes how to evaluate the Information Technology structure and how that will impact the management of your solution.

Domain Structure

Describes Windows 2000 security groups, Organizational Units, and Active Directory objects. Discusses the use of multiple domains and multiple domain trees. Describes the empty root domain tree structure, multiple forests, and multiple tree forests. Describes where to place domain controllers, operations masters, and global catalog servers.

Designing Trust Relationships

Describes the use of transitive trusts within a forest and external trusts between forests. Also discusses shortcut trusts and the authentication issues involved with trust relationships.

Designing Group Policies

Describes the goals of an effective Group Policy architecture. Describes security group filtering and Group Policy blocking.

Delegating Authority

Describes how to transfer object ownership and distribute responsibility throughout the Active Directory. Also describes permission inheritance issues.

DNS Naming

Describes how to organize a Domain Name Service naming structure for Active Directory. Also describes child and parent domains and efficient naming practices.

Schema Modification

Describes the relationship between attribute-schema objects and class-schema objects. Also describes how applications can modify the schema and how to manage and modify schema definitions through the Microsoft Management Console.

Replication

Describes how data is replicated between domain controllers throughout the Active Directory. Describes how to optimize site topology to decrease network traffic. Describes site links, site link bridges, and bridgehead servers. In addition to the replication information available in this section, I've described the implications that certain design choices have on replication performance in their respective sections throughout the chapter.

¡@

Directory Services Overview Back to Top


Active Directory defines and arranges all of the elements of the network. It creates a single hierarchical database of the physical components, user accounts, programs, and data. It makes defining relationships and rules flexible through the use of organizational units, inherited permissions, and trusts. You'll need to have a firm grasp on the organizational qualities of Active Directory before you can blend in the business requirements to design a complete directory solution. This chapter helps reinforce how Active Directory is modeled and concentrates on leveraging Active Directory in real-world business scenarios.

Active Directory Versus the NT Domain Model

The Windows NT domain model included primary domain controllers (PDCs) and backup domain controllers (BDCs), which could only be linked by a series of one-way trusts. The PDC acted as a master server, while the BDCs acted in a subordinate way. Windows 2000 has a much more distributed, peer-to-peer relationship among its servers.

The wiring and physical layout of NT networks was often influenced and somewhat limited by the older, more strictly structured NT domain model. Windows 2000 allows for a lot more flexibility in the placement and functionality of servers. The processes that used to run mostly on the NT PDC can be reassigned to other servers in a much more flexible way. This also allows for a more robust replication environment, with servers disregarding traditional domain borders and replicating over the most efficient routes, based on how much bandwidth is currently available.

In an Active Directory network, all the Windows 2000 servers are essentially peers. Trusts are two-way, and the network is arranged in a tree structure with a true DNS naming scheme, just like on the Internet. This setup is much more flexible than the old NT domain model; and, as you'll see later, it will give you more options for planning to meet the complex business requirements discussed later in this chapter.

Windows 2000 is moving toward embracing the open Internet networking standards, like DNS, Kerberos, and Telnet. Microsoft could have gone much further by providing for more interoperability with open standards, but these are big steps in the right direction for making the "CSE" portion of your title more important than the leading "M."

Active Directory Components

You'll need to be absolutely comfortable with the following terms throughout the rest of the chapter:

  • Domain
  • Forest
  • Tree
  • Organizational Unit
  • Object

If you have any questions about the definition and practical use of these components, you'll find them covered in detail in the Active Directory chapter. This chapter and this test will concentrate heavily on the implementation of these basic building blocks of Active Directory as they apply to achieving specific business goals. The ability to translate business requirements into an Active Directory design is stressed in almost all of the questions. Some questions will go into great detail describing multiple business requirements, goals, and wishes. If you can quickly associate the AD component with a particular need, it will make designing the overall solution much easier.

ON THE EXAM

Always write down the business requirements in the long questions. A single missed requirement buried deep within a question will ruin a solution that meets every other aspect of what the company wanted you to accomplish. MCSE questions are often overly long and have confusing sentence structure. Don't be tempted to skip past seemingly unimportant filler when you read the questions.

Balancing Technical and Business Requirements

If you've never actually worked in or managed an IT department, you'll be at a bit of a disadvantage while taking this test. Many of the questions will involve giving you a series of requests and requirements, along with an overall goal. You'll be asked to make judgement calls based on not only what is technically possible, but what makes the most sense given the structure and politics of the people side of the business.

ON THE EXAM

The test questions are very in-depth, and you'll probably have to take notes. The first thing you should do is read the whole question through and write down only what is required. By separating this out, when you read through the question the second time, you can eliminate any conflicting goals from the proposed solution.

Always keep it in the back of your mind that Microsoft is aiming this exam at the network architect, rather than the IT staff that will actually run the network on a day-to-day basis. You have to think like a consultant for this exam. Organization and judgment are top priorities.

¡@

Analyzing the Company Back to Top


Now that I've thoroughly emphasized the different approach you'll have to take on this exam, it's time to get to work on what skills you'll have to display to be successful.

The first task is to gather information about the company. There are three general categories you'll need to look at:

Requirements and goals

You'll need to make a list of everything that is required, such as limited access to the billing system and nightly backups. You'll also need to prioritize a list of goals that must not conflict with the requirements. Goals might include the ability to access files from a certain branch office. You'll have to decide whether the security and physical structure of the network will allow for that goal to be included, given the strict adherence to the requirements. No number of secondary goals is equal to the importance of a single requirement.

Planning for the future

Active Directory is modular, so growth or reorganization is usually easily accommodated. The one area where you'll have to be particularly careful is planning replication sites. They have very specific bandwidth requirements, and growth can disrupt the process and require the addition of expensive dedicated circuits, like T1, DSL, or coaxial cable connections. Adding an Ethernet hub and some Cat5 cable is usually not an issue, but be careful if you're replicating between remote locations. I can't think of a single question that has ever mentioned downsizing, so when questions talk about the future, plan on managing growth.

Business structure and personnel considerations

It is fairly straightforward to model an Organizational Unit (OU) structure after the company's departmental structure. Permissions can usually be inherited by departments intact, but it gets a bit more complex when companies have more than one location with similar departments and managers who need access to multiple departments in multiple domain trees. You can also manage business modeling efficiently using the empty root domain structure discussed later in this chapter.

Microsoft has included a bit of jargon to help you organize your notes when designing a solution. The jargon will probably show up, so it's a good idea to memorize these decisions. Also, the authors of the questions will probably have this model in mind when designing the questions, so using the same model may make deciphering the questions a bit easier.

Remember that some of the questions will be quite long and include several pages of requirements, goals, suggestions, and distracting filler. By using the four-point model shown in Table 5-1, you may be better able to prioritize both the requirements and the secondary goals.

ON THE EXAM

For many of the questions, you won't be able to see all of the text on the screen at once. Be sure to ask the test center for at least two or three pages to take notes on before you start. I once had to bang on the glass partition repeatedly and with increasing vigor to finally get the attention of the test center receptionist to give me another page for notes.

Table 5-1 Analyzing Your Notes

Analysis Step

Purpose
¡@
Decision point
¡@

¡@

 An individual item that is either required or suggested. You should separate the requirements from the goals and then prioritize the goals, grouping them so the goals that aren't mutually exclusive are listed together. You can then score each group of goals by importance and create a packaged solution.
¡@

¡@
Implications
¡@

¡@

 When you score the goals, be sure to take into account the effect that each goal has on the implementation of the others. If one goal would negatively impact many other goals, you may want to reconsider, even if the first individual goal is slightly more important than individual goals in the group it affects.
¡@

¡@
Risks
¡@

¡@

 You have to consider both the technical and financial costs of each solution. If adding a convenience feature poses an undue security risk, a client such as a lawyer or a bank has to abandon that feature.
¡@

¡@
Trade-offs
¡@

¡@

 On the questions, you'll sometimes have one group that wants a feature that could adversely affect another group. You'll have to do your best to weigh all of the options and be very careful with the precise wording of these sorts of questions.
¡@

¡@

Mapping Organizational Structure

You should make a chart of all the departments, who is in them, and what their job functions are. You should also determine all of the data- and equipment-sharing relationships between departments. If two departments need to share access to the same network resources, that should be considered when you design the Organizational Unit (OU) structure.

There are a few different ways to map the structure of an organization, and you may not be able to immediately pick out which way is best. In the next sections, you'll find descriptions of the common ways to map an organization.

IN THE REAL WORLD

Although I've listed the different ways of mapping a company separately, don't forget that you have the freedom to combine these techniques to form a hybrid structure. Most businesses have a functional structure that blurs the lines between departments, while retaining relatively strict departmental administrative and budgetary boundaries.

Physical locations

Because almost every organization has different departments, but not every company has multiple locations, it may be easier to start with locations. If a company has multiple physical locations, especially if the different physical locations have the same departments, you may want to create a physical locations chart first and have it handy when making the functional chart.

IN THE REAL WORLD

By creating a physical locations map first, then overlaying the departmental structure afterwards, you may find a more efficient way to organize the communication, workload, and administration of the company as a whole. Mapping how information flows through the physical and departmental charts can be a real eye-opener for an organization. If you get the brick and mortar company organized before you start designing an Active Directory, creating the AD structure will be a vastly easier task.

After you define all the physical locations, you'll want to map out the network connections available between them. For Active Directory to function efficiently, high-speed replication of network data is a must. If a remote location has a slow or intermittent connection to the rest of the organization, that will have to be resolved before they can fully participate in the AD. Careful placement of servers can often overcome some weakness in the bandwidth available for remote sites, especially in the case of domain controllers' being able to handle user logon traffic locally, without having to cross the slow connection for authentication.

Departmental structure

Within each physical location, you should chart the different departments and interview the managers and employees to find out which resources they need access to and which they need to share with other departments. The main departmental divisions will likely be the main OU divisions, so access permissions planning is a must at the departmental level. Always try to assign permissions to the largest groups possible for easier administration.

The advantages of the departmental structure are that it's very easy to convert to an OU structure, employees are already familiar with it, and employee transfers between departments are easy. Assuming the departmental manager has the necessary knowledge, departmental OU structure also facilitates the delegation of authority to local department managers.

Functional structure

The Active Directory system is all about managing data. How does it go from place to place and who has access to it? The division of data access does not always follow strict departmental lines. If the company is designed in such a way that billing and sales need access to customer financial records and customer service and technical support need access to customer product records, you can divide by function rather than department. Instead of having four separate OUs based on department, you may be better off with two OUs, based on the data they need to access.

Don't forget that OUs are automatically arranged in a hierarchical structure with permissions inheritance. You can create top level OUs based on the data they need to access and lower level OUs by department. Then you can move an entire department in and out of data access OUs whenever the department's needs change.

Because permissions would be automatically inherited from the top level data access OU to the lower level departmental OU, you wouldn't have to change permissions for employees on an individual basis. They would inherit permissions from their departmental OU, which in turn inherits permissions from the data access OU.

Most of the time departments have many unrelated or conflicting functions that may cause this type of organization to be difficult, if not impossible, to create and maintain. Technically, you can block some permissions inheritance to solve these types of problems, but experience has shown that repeated blocking of permissions inheritance is more trouble than it's worth.

IN THE REAL WORLD

The whole point of the OU structure is to have a clean, inherited, hierarchical structure. The more you alter this by blocking permissions inheritance, the more it resembles the old group-based permissions scheme. The larger the organization, the more difficult it becomes to do it the old way.

IT structure

This exam will probably make you feel like a consultant. Microsoft wants you to be able to design an Active Directory solution that can be managed by someone other than yourself, namely the IT staff at the fictitious enterprise mentioned in their questions. There are several types of IT management structures based on the size and purpose of the company. They are described in Table 5-2. You'll need to know about each one and how it will impact your decision making.

Table 5-2 IT Structure Types

Type
¡@		 Definition
¡@		 Issues
¡@
Centralized
¡@

¡@

 All IT decisions and operations are handled by a single department in a single location.
¡@

¡@

 Good communication with outside departments and locations is essential.
¡@

¡@
Decentralized
¡@

¡@

 IT decisions are handled independently at each location.
¡@

¡@

 Interoperability, security, and cooperation are essential.
¡@

¡@
Mixed
¡@

¡@

 IT management is distributed, but technology is relatively consistent.
¡@

¡@

 Affected by both the centralized and the decentralized issues.
¡@

¡@
Outsourced
¡@

¡@

 IT decisions are implemented and maintained by an outside interest.
¡@

¡@

 Response time and communication are essential.
¡@

¡@

Remember that you can mix and match these structuring techniques to create a hybrid structure. It's often easiest to divide first by location, then by department, and finally by function. In any case, you may be better off creating all three charts and checking to see if the IT structure tips the scales at all.

¡@

Active Directory Architecture Back to Top


For this exam, you are asked to be a network architect. The process of learning how to design an efficient and effective Active Directory follows the same pattern as learning a foreign language. Consider someone asking you a question in a foreign language. When you are just learning a new language, you have to translate, think in your native language, and translate again to respond. When you become fluent, you begin to think in the foreign language. With practice, you will become a much more efficient conversationalist, and eventually you'll talk as fast as a native speaker.

As far as being a network architect goes, the proper use of concepts like Organizational Units and permissions inheritance should become as familiar to you as the placement of windows and walls are to a traditional architect. Once you've reached that point, you'll be able to look beyond the complexities of what makes up an Active Directory and directly translate physical locations, departments, and job duties into trees, Organizational Units, and domain local groups.

Domain Structure

You'll need a solid understanding of the objects in the domain structure and how they relate to and interact with each other. The topics covered on the Windows 2000 MCSE tests overlap much more than they did on the older exams. Microsoft has interwoven the Networking Essentials, DNS, Active Directory, and Security topics throughout all of the exams. Although Active Directory and Security have their own tests, you'll need to know how Organizational Units, permissions inheritance, and Group Policies work for almost all of the exams, including this one.

Domain controller placement

Domain controllers authenticate users and perform many other administrative functions that keep AD running smoothly. If at all possible, you should try to include one domain controller for each replication site where interactive logins occur. Funneling all the login traffic for a network into a small number of remote computers significantly decreases overall network performance and user satisfaction.

Domain controllers tend to use more expensive hardware than typical workstations. If cost is an issue and you are limited in the number of domain controllers, don't skimp on the connectivity speed between domain controllers. If you are using an Ethernet network, try to have 100 Mbit connections between domain controllers and, if possible, across the entire network.

Operations masters placement

The first domain controller in an Active Directory network usually hosts the different operations master roles. There are a few different types of operations masters, and they aren't all used or manually modified very often. You can usually just allow the first domain controller to retain the operations master's functions.

IN THE REAL WORLD

Although you probably won't deal with operations masters on a regular basis and you can usually keep the default settings, there is one thing to be especially careful of: be sure that a domain controller that is acting as an infrastructure master is not also acting as a global catalog server. This may interfere with the infrastructure master's ability to cross-reference changes to objects on the network.

Global catalog server placement

Global catalog servers keep track of just about everything to do with objects and replicate that information on a regular basis. This means that global catalog servers need a lot of bandwidth. You have to strike a balance between the number of global catalog servers and the amount of available bandwidth you have supporting them.

The more global catalog servers you have, the faster the response for each request, assuming there is enough bandwidth to run at full capacity with room to spare for periodic fluctuations in network traffic.

Multiple domains

Although it's possible to have multiple domains sharing a single Active Directory, most of the time a well-designed single domain with multiple subdomains is an easier and more efficient solution to create and maintain. Active Directory can encompass multiple domains, sites, and forests. This can become very complex, so if you're given a choice between single or multiple domains, always choose single unless there is a compelling reason to do otherwise. In a few cases, a multiple domain strategy is the best solution:

Remote locations

If remote locations have low bandwidth connections between them, the frequent replication traffic generated in a single domain setup may be enough to overwhelm the connection. The cost of maintaining faster interconnection lines may outweigh the benefits of a single domain, especially if each location has qualified network administrators already on staff.

Limited partnerships

If two essentially separate organizations want to keep their own administrative controls in place, a multiple domain setup would keep domain Administrator accounts separate. This is especially important if companies are keeping secrets from one another.

Policy separation

If one company has a more stringent password policy, it may be necessary for the security of one company and the convenience of another to keep the policies separate. The only way to do that is with separate domains. For example, suppose a defense contractor requires passwords of at least 10 random characters changed every 48 hours without reusing the same password. The less sensitive areas of the company may not want such a strict policy.

Multiple domain trees

Domains within an Active Directory are automatically arranged in a hierarchical tree structure. The first domain in a tree is called a root tree. Every domain tree has a single root tree. Root trees and their child domains can be linked into a forest of domain trees. All trees in the forest have two-way transitive trust relationships, which means all user accounts in a forest can potentially access all resources in all domains in the forest.

The domain that will act as the root tree is created first. Most of the time, the root domain contains many of the resources and structures that will be used throughout all the child domains. You can name the root domain with the company name and create child domains for each department within a company. Sometimes, a company will want to further separate the branches of a tree from a common root domain without resorting to creating a multiple tree domain. This is made possible by creating an empty root domain.

Empty root domains

Suppose two companies merge and they want to have the benefits of automatic two-way trusts and a single domain tree while still maintaining a bit of separation between each domain. If the departmental structure of the companies is quite different, it might be easier not to have a common Organizational Unit structure.

Suppose two companies merge and they want to have the benefits of automatic two-way trusts and a single domain tree while still maintaining a bit of separation between each domain. If the departmental structure of the companies is quite different, it might be easier not to have a common Organizational Unit structure.

If the first domain in a tree is left relatively empty, the child domains will be starting with a nearly clean organizational slate. This is a good way of organizing a company with one name and many separate divisions. In a smaller company, the same principle applies to a single domain's Organizational Unit structure. Each parent OU can be separated from the other's while still being connected with a hierarchical tree structure.

IN THE REAL WORLD

An empty root domain configuration separates the master administrator account from the administrator account of each child domain. If you want to give relative autonomy to local administrators within each of the company's divisions, yet keep them from all having control over each other's subdomains, keep the root domain's Administrator account tightly controlled and let each location create an Administrator account for each subdomain independent of one another.

Multiple forests

You probably won't want to create a multiple forest structure for a single organization, regardless of how many divisions they have. Because they only allow for specific one-way trusts between two domains, linking the forests can be an administrative nightmare. In a few specific cases, a multiple forest may be your best option:

  • If two forests need to set up a limited relationship between a small number of domains, but otherwise remain autonomous, having a few one-way trusts is an acceptable way to share information.
  • If two large and complex forests already exist and companies are merging, the pragmatic approach may be to just link the domains that need to be linked on a case-by-case basis as the merger goes through. You should document each other's network for a potential full merger in the future.

IN THE REAL WORLD

Make sure that the domains linked in a multiple-forest trust relationship have sufficient bandwidth between them to handle the amount of traffic passing between the two networks. If users in one domain can have access to the other, but not vice versa, check to make sure you have two separate one-way external trust relationships.

Multiple-tree forests

Many businesses have a central ownership, but have separate names to describe each division. It is especially important to maintain name identification throughout the company if you choose to use the same domains for internal and external use. You can maintain brand identity through separate names while maintaining all the benefits of a single forest structure by naming each domain root for each separate division.

A multiple-tree forest is far easier to manage than a multiple forest. All trust relationships are two-way and are configured automatically. Replication among domains is easy to accomplish by the strategic division of replication sites that can encompass just about any well connected area of the forest, regardless of domain.

Organizational Units

An Organizational Unit (OU) is a group of related objects that share access permissions. They are used similarly to the way groups were used in Windows NT, except that OUs can contain just about any type of object, not only user accounts.

Organizational Units provide a logical way to group and collectively manage such network resources as user accounts, files, folders, and printers. Usually, the OU matches a real-life department or team within a company. There are many benefits to dividing up the Active Directory into OUs.

The most obvious benefit is the ability to quickly map a company's departmental structure to permissions-based groups, where all the objects that need to perform job functions can be administered together as a unit.

The other benefit is the ability to easily delegate authority. You can assign administrator-like privileges to the manager of the web design department for all the scanners, printers, and web directories used by the department without giving that manager an Administrator account for the whole network.

By repeating this process, you can allow departmental managers to have day-to-day control over their work environment without any undue security risks. This will free more time for you to manage, monitor, and maintain the network as a whole without micromanaging every department.

The best part is that, when a new resource or employee is added or removed, you can simply drag and drop that resource in or out of the OU. What you'll do is create a domain for the company, create subdomains where appropriate, and divide the remaining resources into OUs based on departmental divisions.

Objects

This is the easiest component to remember. Any individual network resource in the Active Directory is considered an object. User accounts, files, folders, printers, and Organizational Units are all objects.

Objects have properties that describe what they are and permissions to control who has access to them. Objects can generally be moved around the Active Directory by dragging and dropping them in the Microsoft Management Console (MMC). The definitions of all objects are stored in the schema, which is covered in more detail later in this chapter as well as in other sections of the book.

Windows 2000 groups

It's a lot easier to manage security for a group of similar users rather than to assign permissions to each individual user account. Windows 2000 has three types of security groups detailed in Table 5-3.

Table 5-3 Security Groups

Group
¡@		 Description
¡@
Domain local
¡@

¡@

 Used to grant permissions within only the local domain. May contain user accounts and global groups from any trusted domain. Permissions granted are valid only within the local domain, regardless of where the account or group originated.
¡@

¡@
Global
¡@

¡@

 Used to grant permissions across the entire forest. May contain only global groups and user accounts. Replicates only the group name between domains, not the group membership list, so replication traffic is less than with universal groups.
¡@

¡@
Universal
¡@

¡@

 Used to grant permissions across the entire forest. Usually contains other groups, rather than individual user accounts. Can contain any type of group. Must replicate to all domains in the forest, so frequent changes to group membership can generate significant network traffic.
¡@

¡@

All of the groups can contain other groups. Putting one group inside another is called nesting. Nesting is an efficient way to manage permissions for a large number of users while limiting the number of groups you have to directly manage on a regular basis. You can take the following approach to help organize groups:

  1. Start by adding user accounts to global groups by department or job function.
  2. If more than one department needs access to the same resources, nest the departmental global groups into a larger global group. Try to minimize the total number of independent global groups by nesting as many as possible. Keeping track of permissions will be easier with fewer separate groups.
  3. If you can see a need for universal groups, add the global groups to universal groups; otherwise, simply add the global groups to the appropriate domain local groups to lessen replication traffic, as compared to just using universal groups to distribute permissions across the forest.
  4. Once all the user accounts are grouped as efficiently as possible, start granting the needed permissions and test to make sure everyone can access what they are supposed to and nothing else.
  5. After everything is running smoothly, you can delegate control of departmental group membership to each department head. Changes at the departmental level automatically replicate up through the group structure, and you should have a nearly self-sufficient group structure.

Designing Trust Relationships

The ability to share information securely and conveniently is important to almost all businesses. Windows 2000's trust scheme will make it a bit easier to manage than the cumbersome NT trust scheme. You'll still need to map out which domains need to trust which and whether or not those domains are within the same forest. There are two main types of trust relationships in Windows 2000, transitive and external. There is also a third type, called a shortcut trust, which I'll discuss later.

Transitive trusts

Transitive trusts are by far the most common type of trusts you'll run into. They are automatically created between parent and child domains within a tree structure and between domain roots. This means that every domain within a forest automatically has a two-way trust relationship with every other domain in the forest. This is why it is so important that permissions be assigned properly, especially if certain domains in the forest need tight security.

External trusts

Sometimes domains in different forests need to trust each other. This type of relationship is not automatic. There are a couple of rules you'll need to know about external trusts in order to determine if they meet a company's goals:

  1. External trusts are one-way only. If you need a two-way external trust, you have to create two separate one-way trusts between domains in different forests.
  2. External trusts only connect two domains in different forests. The transitive trust relationships that each domain shares within its own forest are not shared by the remote domain. The rest of the domains in each forest are isolated from the remote computer.

Authentication issues

The Active Directory uses a totally different method of authentication than Windows NT. Windows 2000 uses the Kerberos model of authentication, which involves the use of keys. The Kerberos model is discussed throughout the book and in detail in the security chapter.

Only Windows 2000 networks running in native mode can take full advantage of all the trust relationships described in this section. When attempting to make a trust relationship with a remote Windows 2000 domain, be sure to check to see if their network is in mixed mode or native mode.

Shortcut trusts

All child domains have a transitive trust with their parent domains, but domains may be in different trees with several transitive trusts separating them from each other. This can cause more authentication overhead than is necessary. Active Directory allows you to specifically create a two-way transitive trust between two domains within the forest without having to rely on the series of two-way transitive trusts that automatically link them via the tree structure.

IN THE REAL WORLD

If two domains will often need to share information and user logins, it will reduce authentication traffic if you specify a shortcut trust between them. You can use an SMTP program to analyze traffic on the network before and after you create a shortcut trust, to quantify the benefits. If you see large benefits, you may want to add more shortcut domains.

Designing Group Policies

When you are designing a Group Policy, you'll have to figure out what the company's priorities are. You'll need to weigh several options: security vs. convenience, control vs. flexibility, and up-front effort vs. recurring effort. As a consultant, you might run into a client who wants security, convenience, flexibility, and control with maximum up-front effort (yours) and minimal recurring effort (theirs). This is not possible with Group Policies.

The main sticking points are security and flexibility. If you want to restrict access to objects on the network, the people who have permission must make the changes themselves. This is more secure, but it diminishes convenience. Consider this situation:

Your supervisor calls to tell you her son has broken his arm and she's on the way to the hospital. You'll have to give her sales presentation to the assembled crowd in twenty minutes. You try to open sales.ppt and get "Permission Denied." No problem, just call the Network Administration department to change permissions. The last you checked, there were three network administrators, but when you call them you find out that one is on vacation, one's out on an emergency hardware installation 45 miles away, and the third one quit yesterday.

The alternative extreme can result in having a disgruntled employee modify the sales presentation to include just about anything. Your job is to explain this and convince the company to balance the needs of security and convenience by allowing you to implement a responsible Group Policy structure.

It's almost always easier to apply permissions to groups of similar users, rather than to each individual user on a case-by-case basis. Windows 2000 gives you many different types of groups to choose from. Groups are smaller divisions than Organizational Units and only contain user accounts, whereas OUs can contain all kinds of objects. No matter which groups you use, the reasons for the policies will remain the same. Getting to know what the policies can do will help you determine which groups to use. Group Policies are applied through the use of a Group Policy Object (GPO) containing the rules that make up the policy.

Group Policy goals

Group Policies can be used to define which programs are to be installed on which computers. This can be done by department, with web development getting Photoshop and Flash, sales getting Outlook and Excel, and technical support getting Quake. Actually, the Group Policy can be used to make sure technical support doesn't install unauthorized programs, which brings us to another of GPO's benefits: security.

Group Policies can allow certain users to log in to any workstation and have access to only their authorized applications, regardless of whether the unauthorized application is installed on the workstation that they are locally logged in to. GPOs can also restrict physical and remote access to sensitive computers, such as domain controllers.

IN THE REAL WORLD

Group Policies are inherited throughout the Active Directory. Although Group Policy Objects can be applied at the domain or site level, you may be better off applying most policies at the OU level to give yourself greater flexibility. Remember that a Deny permission overrides all others.

If you've created the OU structure to match the company's real-world departmental structure, assigning permissions by OU is a convenient way to provide access to those who need it and deny access to everyone else. Also, if you arrange to have the employee transfer process include a notification to the network administrator, employees can be moved in and out of OUs faster than they can clean out their cubicle.

ON THE EXAM

Be careful if a Group Policy is applied on the site level. A site level GPO affects the whole local domain, and, because a site can span multiple domains, a Group Policy change at that level can have wide-ranging effects. Only the Enterprise Admins group can apply Group Policies at the site level.

If you want to create a Group Policy that applies to the whole domain or multiple domains, it's better to apply the policy on the domain level rather than the site level. This is more work initially, because Group Policies only apply to the local domain. You'll have to apply the same policy to each domain separately. This should help avoid accidental policy application.

Overall, I think the best approach is to apply no Group Policies at the site level, general policies at the domain level, and specific policies at the OU level. This hierarchical approach has less risk and gives you more granular control over policies. The up-front investment in time usually pays off later.

IN THE REAL WORLD

Group Policy Objects add to the network traffic and can increase login times, especially if policies are applied across multiple domains. Try to draft as few policies as possible, but remember that combining too many rules in a single policy can make assigning policies to slightly different groups problematic.

Security group filtering

Members of a security group can be prevented from inheriting a GPO, even it if applies to their entire domain. This is especially useful for users with elevated privileges who need to retain access to secure objects.

Group Policy blocking

In addition to blocking GPOs with security groups, you can also block GPOs at the OU level. Normally, Group Policies are automatically inherited from any parent OU. You can set an OU to block policy inheritance, but it only works if the parent OU doesn't have a No Override setting. You're better off just taking the time to plan Group Policies thoroughly, rather than worrying about whether or not they will apply and what the exceptions are.

Delegating Authority

Everything in Active Directory is an object that has an access list of permissions. Efficiently assigning these permissions can save you and the users a lot of grief in the day-to-day operations of the network. There are a few different strategies for designing a delegation scheme.

You need to transfer, or delegate, the authority to access objects throughout the Active Directory. These objects can number into the hundreds of thousands in moderate sized businesses. Properly grouping and then assigning permissions by group is essential. How you divide the groups depends on the type of organization and the type of objects you're dealing with.

Object ownership

The first step to creating a solid delegation plan is to create an inventory of the type and number of objects you have. Every object must be owned by somebody who will be responsible for its safekeeping. If you find an object that is improperly owned, a member of the Domain Administrators group can take ownership and temporarily or permanently assign ownership to themselves or another user.

You can delegate permissions by object or by task. A task might be backing up files or clearing a print spool. Task-based delegation is generally more difficult and time consuming, so it is used much less frequently than object-based delegation.

Permissions inheritance

Objects automatically inherit permissions from their containers further up the AD structure. Sometimes, it is necessary to prevent this from happening. Be very careful if you block permissions inheritance, because if you forget you did it, making a change to the parent object will no longer be passed on down the line to the blocked object. Be sure to document every case of blocked inheritance.

IN THE REAL WORLD

Blocking inheritance is particularly dangerous when a subsequent No Access permission is assigned to a parent container. The child objects that were blocked from inheriting permissions will still have access to the object even though their parent container doesn't. Without proper documentation procedures, this can easily go unnoticed until it's too late.

DNS Naming

If you have experience with the Domain Name System (DNS) used on the Internet, you'll have no problem designing a DNS naming scheme for your Active Directory. The first thing you'll have to decide is whether or not you'll be using the same domain name for the internally (company) and externally (Internet) accessible network resources.

IN THE REAL WORLD

Many companies choose to use different domain names for their internal and external networks. Often, companies will use non-routable (from the outside world) IP addresses for their internal network and create a gateway or proxy server to act as a buffer to the Internet. Internally, some companies use a non-Internet protocol, such as IPX/SPX, to prevent open TCP/IP access to parts of their network.

Organizing a DNS structure

One of the simplest and most effect ways to organize a hierarchical naming scheme like DNS is to mirror the actual geographic and departmental hierarchy of the company. You have to take into account whether or not the business wants to use the same domain name for internal and Internet addressing. Table 5-4 shows an example of DNS Naming Scheme.

Table 5-4 DNS Naming Scheme

Company Breakdown
¡@		 DNS Name Used
¡@
Parent company name: O'Reilly & Associates
¡@

¡@

 oreilly.com
¡@

¡@
Geographic locations: Sebastopol, Cambridge
¡@

¡@

 sebastopol.oreilly.com
cambridge.oreilly.com
¡@

¡@
Sebastopol's Departments: editorial, production, and marketing
¡@

¡@

 editorial.sebastopol.oreilly.com
production.sebastopol.oreilly.com
marketing.sebastopol.oreilly.com
¡@

¡@

The DNS naming system is from left to right, specific to general. A final example would be if the marketing office in Sebastopol had a server named zookeeper. In that case, that server's DNS address would be zookeeper.marketing.sebastopol.oreilly.com. Every unique DNS name has to have a unique Internet Protocol (IP) address.

You'll notice that the parent company name is part of all the subdomain names. You can create as many subdomains as you'd like. However, you cannot change the original parent domain name. The name is called the forest root domain.

Because the forest root domain name cannot be changed, if the company is going to merge or otherwise change names in the near future, you may want to consider registering the new name and using it internally, especially if it's going to be a hyphenated name. When the merger is finalized, the new domain name can be made public.

If you choose to use the same domain name both internally and externally, you'll probably want to set up a firewall. A firewall can separate DNS zones from one another. You may put network resources in any zone you'd like and make any zone either public (accessible from the Internet) or private (accessible only from within your local network).

If the company wants the least amount of risk, you should suggest that they use separate domain names for internal and external use. It's conceivable that a resource could be accidentally (or intentionally) put in the wrong DNS zone or otherwise made accessible to the outside world. Not only is the use of separate internal and external domain names a bit more secure, it makes it easy to determine which resources are public just by the domain name.

Schema Modification

The schema is a database that contains a listing of all the types of objects and their properties. The schema determines which properties are both necessary and optional for each object. A faulty schema modification can have a disastrous and unexpected impact across the entire AD. If you're not absolutely sure of all the possible consequences a particular schema modification can cause, don't even consider doing it.

Some AD aware programs will modify the schema to include new functionality. New types of objects with different access permissions may be needed as technology changes. The ability to modify AD's schema is mostly for future compatibility. Most installations will never have to be modified directly. You should still understand how the schema works, because applications you install may be modifying it for you.

Attribute-schema objects

The attribute-schema objects define the rules and structure of an attribute of an object. A folder is an object that needs many different attributes to describe it in its entirety. Each attribute, such as its name, will need rules to define it and make sure it behaves in a similar way to all other folders. Can a folder have the same name as another folder in the same location? How long can that name be? These attributes can be combined into a group called a class.

Class-schema objects

An object usually has multiple attributes. Because each attribute is defined in a separate attribute-schema object, these objects have to be unified to create an encompassing definition of the familiar object, such as a file, folder, or user account. The collection of attribute-schema objects that define a common object (like a folder) is called a class-schema object.

A class-schema object can require certain attribute-schema objects and allow others if needed. For example, a file has to have a name, but not necessarily an application-mapped file extension.

Class-schema objects also determine the structural hierarchy attributes of an object. You can put a file in a folder or a folder in a folder, but you can't put a folder in a file.

IN THE REAL WORLD

Compression programs like WinZip can take folder structures, put them in a compressed file, and restore them later. WinZip modifies the normal way Windows stores files and folders. This is done without modification to the Active Directory schema.

Modifying the schema

There are two ways the schema can be modified: by using the Active Directory Schema snap-in for the Microsoft Management Console (MMC) or through the installation of an application that modifies the schema automatically. Objects in the schema have a unique identification number called an object identifier. There is a worldwide hierarchical numbering scheme that is similar to the IP address system used on the Internet. The International Organization for Standardization (ISO), an international standards body, maintains this hierarchy and can assign numbers for use in the schema.

The are a few potentially negative side effects of modifying the schema that you should consider. Before you change the attributes of an object, check to make sure you won't have conflicts with existing objects. Modifying the schema requires that all domain controllers replicate the change. This can cause a lot of traffic, so you may want to time it when network usage is low. Also, replication is not instantaneous throughout the domain, so inconsistencies can occur until the replication is completed.

Replication

A Windows 2000 network consists of peer-to-peer domain controllers. There is no longer an NT-style hierarchy of primary domain controllers and backup domain controllers. The Windows 2000 domain controllers need to exchange information among themselves on a regular basis. Unlike OUs, which are best designed to match the departmental makeup, replication sites have to be designed to physically link over a fast part of the network regardless of departmental boundaries.

Sites

Sites are the basic physical structures that allow the replication of data on the network. The strategy for creating an efficient replication environment is fairly straightforward: find the best available bandwidth between potential sites, look at bandwidth utilization on each subnet, and link sites accordingly. Your goal is to link sites so that they have the greatest bandwidth between them (see Table 5-5).

Table 5-5 Site Replication Strategy

Domain Controller Name
¡@		 Average Available Bandwidth to DCA
¡@		 Average Available Bandwidth to DCB
¡@		 Average Available Bandwidth to DCC
¡@
DCA
¡@

¡@

 N/A
¡@

¡@

 7.8 Mbit
¡@

¡@

 5.2 Mbit
¡@

¡@
DCB
¡@

¡@

 7.8 Mbit
¡@

¡@

 N/A
¡@

¡@

 6.1 Mbit
¡@

¡@
DCC
¡@

¡@

 5.2 Mbit
¡@

¡@

 6.1 Mbit
¡@

¡@

 N/A
¡@

¡@

By creating a table like Table 5-5, you can easily to see that you want to avoid the DCA to DCC connection of 5.2 Mbit and link DCA to DCB at 7.8 Mbit and DCB to DCC at 6.1 Mbit. Keep in mind that bandwidth usage can change very rapidly on a network, and you should consistently monitor network utilization.

IN THE REAL WORLD

If your network allows open access to the Internet, be sure to look out for potentially high-bandwidth programs, like Napster. The ease with which multimedia is distributed over the Internet, legally and otherwise, is increasing rapidly. A few employees downloading music eight hours a day could severely impact the bandwidth available for replication.

Proper division of replication sites can help the overall performance of Active Directory. Many of the features of Active Directory that were not present in the NT directory structure require the efficient transfer of information throughout the entire network. Some of this traffic can be optimized by placing commonly needed resources within a site. A decrease in the number of sites, so that each site has access to the servers it needs to operate relatively autonomously, may outweigh the raw replication speed achieved by having smaller sites. Table 5-6 shows some examples of where site design can pay traffic dividends.

Table 5-6 Site-Level Traffic Optimization

Traffic Area
¡@		 Benefits
¡@
Replication
¡@

¡@

 The interval between exchanges of information between replication sites can be customized to fit the needs of each network segment.
¡@

¡@
Logons
¡@

¡@

 If a domain controller is available in the current site, all logon traffic will stay within the site and will be handled by that domain controller if possible.
¡@

¡@
File Replication Service
¡@

¡@

 The processing of Group Policies and logon scripts is handled by the File Replication Service (FRS). The FRS uses site settings to determine when and how to replicate its data.
¡@

¡@
Distributed Filesystem
¡@

¡@

 The Distributed Filesystem (DFS) allows multiple linked copies of network resources to be distributed among many servers. DFS will look within a replication site for a copy of the resource before searching the rest of the network.
¡@

¡@
Site-aware programs
¡@

¡@

 Programs that can take advantage of FRS and DFS will automatically benefit from their cooperation with replication site topology to reduce network traffic generated by the program.
¡@

¡@

Replication of data within a site is called intrasite replication. Replication between sites is called intersite replication. It is important that bandwidth between domain controllers be as high as possible, because they will be involved in both intersite and intrasite replication. You should always map out the physical location of all the domain controllers and the nearby hubs and switches that connect them. If possible, try to have 100 Mbit connections between all domain controllers and have at least one domain controller in each replication site.

The amount of time it takes to exchange replication data between domain controllers is called replication latency. Don't confuse the amount of time it takes to complete a transfer, replication latency, with the total amount of bandwidth needed for the transfer, replication cost. Each replication session has a certain amount of setup and teardown traffic, in addition to the actual data transfer. If you configure the site replication to save changes in a batch and send them all at once, you'll reduce the overall replication latency and lower the replication cost by transferring fewer setup and teardown packets.

Sites can be adjusted after they are created. Whenever there are changes to the network, you should re-evaluate your site borders to make sure you still have the most efficient replication setup. Adding a single computer to a site can significantly change the available bandwidth, which can have a cascading effect on the performance of seemingly unrelated parts of the network. Always perform a check on the current situation, called a baseline, so you'll have something to compare the new numbers to after a change.

ON THE EXAM

There is a big difference between replication latency and replication cost. If you increase the bandwidth between replication sites, you'll decrease the latency, but not the cost. You'll be sending the same amount of data, only faster.

Site links

All the sites in Active Directory have to be able to share information. The way in which they replicate information is not random, you can choose which sites share a replication link and when they transfer data. You have to take into account employee shift schedules and sometimes differences in time zone when determining the most efficient timing of replication on large networks. The connection between two sites for the purpose of replicating data is referred to as a site link.

Site link bridges

Most site links connect two locations, but each of those locations probably has a site link to somewhere else. Site links on fully routed IP networks are transitive, which means that, if site A is connected to site B and site B is connected to site C, then site A is effectively connected to site C via a site link bridge.

Bridgehead servers

Because sites can span multiple domains and some domains have several domain controllers, you may want to specify which domain controller in a site will handle replication duties. The chosen domain controller is referred to as a bridgehead server. The domain controller that has the most unused bandwidth to another site is a good choice to be a bridgehead server.

¡@

Practice Tests Back to Top


Test Questions

    What should you know about a company before you install an Active Directory for them?

    1. The geographic, divisional, and departmental layout of the company
    2. The security requirements of each location and department
    3. The predicted growth pattern for the next five years
    4. All of the above

    Which domain structure is generally easier to maintain?

    1. A single domain with multiple subdomains sharing a single AD
    2. Multiple domains sharing a single AD
    3. A single domain with multiple subdomains with individual ADs
    4. Multiple domains with multiple ADs

    Two companies are merging, neither of which has a computer network. They decide they want to use Windows 2000 and Active Directory. They have a small IT staff and would like to have a single domain. However, they'd like to keep their naming systems relatively separate. What can you do to best accommodate their needs?

    1. Create two domains and create two one-way trust relationships between them.
    2. Create a single domain, giving one company the root domain name and making the other a sub-domain.
    3. Create an empty root domain and give each company a sub-domain name.
    4. Tell them they must use a hyphenated name if they wish to have a single domain.

    Which type of Active Directory container is most useful in mapping company departmental structure for the assignment and inheritance of permissions?

    1. Domain local accounts
    2. Global accounts
    3. Trees
    4. Organizational Units

    What is the process of putting one group inside of another called?

    1. Hive management
    2. Nesting
    3. Inheritance
    4. Subfolders

    When can external trusts be used in Windows 2000?

    1. Between trees in a forest
    2. Between domains in a tree
    3. Between trees in a domain
    4. Between domains in different forests

    When can shortcut trusts be used?

    1. Between two domains in the same forest
    2. Between two domains in different forests
    3. Between two users in the same OU
    4. Between two users in the same forest

    Which group can apply Group Policies at the site level?

    1. Domain Admins
    2. Enterprise Admins
    3. Replication Admins
    4. Power Users

    Which of the following changes will decrease the replication cost value between sites?

    1. Upgrading from a 10 Mbs to 100 Mbs Ethernet setup
    2. Decreasing the number of domain controllers
    3. Increasing the number of domain controllers
    4. None of the above

    If site A is connected to site B for replication and site B is connected to site C for replication, what is the connection between A and C called?

    1. A transitive trust
    2. A bridgehead
    3. A site link bridge
    4. A shortcut trust

    You are designing groups to be used across an entire Active Directory forest that contains several domains. The domains are at different physical locations and the available bandwidth between these locations is very low. Which type of group allows for access across the entire forest with the minimum amount of replication traffic?

    1. Domain local
    2. Global
    3. Universal
    4. All of the above

    You are trying to create the most efficient site replication strategy possible for a very large network. It has been decided that you should configure bridgehead servers. Which computers are the best candidates to be bridgehead servers?

    1. Domain controllers with the most unused RAM
    2. Domain controllers with the most unused bandwidth
    3. Workstations with the most unused RAM
    4. Standalone servers with the most unused RAM

    You are designing an efficient replication strategy for a mid-sized network. What should be your number one priority?

    1. Making sure there are sufficient services available within each site
    2. Increasing the number of replication sites
    3. Decreasing the number of domain controllers per site
    4. Increasing the number of bridgehead servers

    You have a publicly registered domain name and class 2 block of IP addresses. You're running your own DNS server. Part of the network will be accessible over the Internet and part will be private for the next six months. Then the whole network will be publicly available. What should you do to keep these areas separate for now and make the transition as easy as possible?

    1. Assign valid IP addresses to the public parts of the network and non-routable IP addresses to the private parts. Reassign IP addresses in six months.
    2. You must have two separate DNS servers running on separate subnets. In six months, append the zone files together on the public DNS server.
    3. Create zone files for the public and private parts of the network and keep them separated using a firewall. Use routable IP addresses for both zones. In six months, change the appropriate zone from private to public while retaining the originally assigned IP addresses.
    4. Make all IP addresses public, but use DHCP to randomly assign the private addresses.

    The group hierarchy for the programmers of your company is as follows: the parent group is called Programmers. The Programmers group has three sub-groups, Database, Web Design and Accounting. The Accounting group previously was the only Programming group to have access to the Billing folder. Since the Accounting programmers no longer need that access and none of the other programmers do either, you've decided to deny all access to the Billing folder to the parent Programmers group. You notice that Pamela, who is in the Accounting group, can still access the Billing folder. What should you do first?

    1. Disable Pamela's account immediately.
    2. Check other Accounting accounts to see if the permissions were inherited properly.
    3. Deny access to the Billing folder specifically for Pamela.
    4. Deny access to the Billing folder for the Accounting group.

    How can you make sure that permissions will be inherited all the way down the Organizational Unit tree and will not be blocked by a child OU?

    1. Double-check every OU's permissions manually after every change.
    2. Make sure the all the child OUs have No Override set.
    3. Make sure the parent OU has No Override set.
    4. You can't prevent permissions inheritance blocking.

    What is the best way to prevent inheritance of permissions for a small number of users across the domain?

    1. Put them in the Enterprise Administrator's group.
    2. Let them all share a single Administrator account.
    3. Put them in a separate OU and configure the OU's permissions appropriately.
    4. Put them in a security group and configure that group's permissions appropriately.

    You notice that login times have increased for your Active Directory forest. Which of the following are possible causes?

    1. Group Policy Objects that apply across multiple domains have increased traffic.
    2. Replication traffic has increased despite adding more individual sites.
    3. A couple of global catalog servers have crashed and haven't been replaced.
    4. All of the above.

    You have been given a budget that allows you to buy five new servers. What should you do with this hardware to get biggest performance benefit for your Active Directory network?

    1. Create five new DNS servers
    2. Create five new bridgehead servers
    3. Create five new global catalog servers
    4. Create five new FTP servers

    You are running Active Directory within a forest. Two workstations in separate trees need to share a Distributed Filesystem folder. What changes to the trust relationship(s) must be made for this folder to be shared between workstations in different trees?

    1. You must create two separate one-way trusts between the trees.
    2. You must create two separate one-way trusts between the workstations.
    3. You must manually create a two-way trust between the trees.
    4. All computers in the forest automatically have two-way trust relationships, so you don't need to change any trust relationships.

¡@

Case Study Back to Top


Text Formatting Key:

  • Describes requirements
  • Conflicts with requirement
  • Irrelevant background information

You have been given a list of requirements to implement a replication strategy for the sales department. Sales has 3 Windows 2000 domain controllers, 2 standalone servers, and 28 workstations. The domain controllers have the following interconnection speeds.

Domain Controller Name
¡@		 Average Available Bandwidth to DCA
¡@		 Average Available Bandwidth to DCB
¡@		 Average Available Bandwidth to DCC
¡@
DCA
¡@

¡@

 N/A
¡@

¡@

 7.8 Mbit
¡@

¡@

 5.2 Mbit
¡@

¡@
DCB
¡@

¡@

 7.8 Mbit
¡@

¡@

 N/A
¡@

¡@

 6.1 Mbit
¡@

¡@
DCC
¡@

¡@

 5.2 Mbit
¡@

¡@

 6.1 Mbit
¡@

¡@

 N/A
¡@

¡@

You must determine which domain controllers will be linked together for replication purposes to make the most efficient connections.

Multiple Choice

    How many computers in the sales department will be involved with the intrasite replication?

    1. 3
    2. 5
    3. 33
    4. None

    What does the above chart indicate regarding replication?

    1. Latency
    2. Cost
    3. Distance
    4. Security

Create a Tree

Place each domain controller under the domain controller to which it would connect, given the most efficient replication configuration. Each domain controller must be connected to another domain controller. A domain controller may share a connection with more than one domain controller.

DCA
¡@		 DCB
¡@		 DCC
¡@

¡@

¡@
¡@

¡@
¡@

¡@

¡@

Answers Back to Top


Comprehensive Test

  1. d. You should know as much as possible about the company before you begin to configure Active Directory. You can't take full advantage of Active Directory without this information.
  2. a. It's easiest to maintain a single domain that uses multiple subdomains and a single Active Directory.
  3. c. An empty root domain will allow the subdomains to retain naming separation, while taking advantage of the single domain for administrative and maintenance purposes.
  4. d. Organizational Units are the best way to model Active Directory after a company's departmental structure.
  5. b. Putting groups inside of other groups is called nesting.
  6. d. External trusts can only occur between two domains residing in different forests.
  7. a. Shortcut trusts can only be used between two domains in the same forest.
  8. b. Only members of the Enterprise Admins group can apply Group Policies at the site level.
  9. d. You can decrease the latency of a connection by providing more bandwidth, but that won't decrease the cost. Cost is determined by the amount of information being sent over the connection, not by the speed or the percentage of available bandwidth.
  10. c. A site link bridge is the virtual connection formed between multiple sites that are linked to the same site.
  11. b. Global groups are valid across the entire forest and replicate only the group name between domains, not the individual members of the group. This uses less bandwidth than universal groups, which replicate the member information for the group along with the group name. Domain local groups are only valid in the local domain and do not replicate to other domains in the forest.
  12. b. Only domain controllers can be bridgehead servers. The amount of available bandwidth will be the most important factor for site replication duties.
  13. a. Making sure there are enough services within a site prevents requests from having to be served outside the site, which improves response time. Just making sites smaller could be counterproductive.
  14. c. A single DNS server can have public and private zones that can be easily changed. Using non-routable IP addresses would technically work, but reassigning all those IP addresses would be inefficient.
  15. b. It is likely that the permissions were not inherited for the entire Accounting group, not just Pamela's account. You shouldn't just block the Accounting group from the Billing folder, because if permissions inheritance is disabled for the Accounting group, you'll have to change permissions for the Accounting group separately from the other programming subgroups. It's better to fix the inheritance problem at its source, rather than dealing with it on a case-by-case basis.
  16. c. The easiest and most effective way to prevent inheritance blocking is to make sure the parent container has No Override set.
  17. d. Security groups are the best solution for assigning permissions across the domain. Don't give non-administrators an Administrator account and never allow users to share a single account.
  18. d. All of these scenarios can increase login times. You should always create baselines for all aspects of network performance to make it easier to quantify change.
  19. c. Adding global catalog servers is by far the best choice to improve network performance because requests are load balanced and just about every network request has something to do with the global catalog.
  20. d. All computers in the forest automatically share two-way transitive trust relationships.

Case Study: Multiple Choice

  1. a. Only domain controllers are involved in intrasite replication.
  2. a. Latency is based on how much available bandwidth is available for replication. Cost is a constant value, regardless of the available bandwidth.

Case Study: Create a Tree

DCA
¡@		 DCB
¡@		 DCC
¡@
DCB
¡@

¡@

 DCA
¡@

¡@

 DCB
¡@

¡@

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.