Appendix A -- Questions and Answers

Chapter 1 -- Introduction to Active Directory

Review Questions

1. Your organization would like to include the languages in which each staff member is proficient in the Active Directory database. What action must you take to accomplish this and why?

   If you need to provide information about users not currently defined in the schema, you must extend the schema for the User class. The schema contains a formal definition of the contents and structure of Active Directory, including all attributes, classes, and class properties.

2. How would you arrange two OUs, Orders and Deliveries, so that the Orders OU has administrative control of the Deliveries OU but the Deliveries OU does not have administrative control of the Orders OU?

   By adding OUs to other OUs, or nesting, you can provide administrative control in a hierarchical fashion. By nesting the Deliveries OU within the Orders OU, the Orders OU has administrative control of the Deliveries OU but the Deliveries OU does not have administrative control of the Orders OU.

3. You are considering adding global catalog servers to your network. What are the advantages of such an action? Disadvantages?

   Additional global catalog servers can provide quicker responses to user inquiries, as well as redundancy. However, additional global catalog servers can require more bandwidth for replication traffic.

4. Your client requires all Windows computers in his organization to display the company logo as the background wallpaper. What action should you take?

   To create a specific desktop configuration such as background wallpaper for all Windows computers in an organization, you create group policy objects (GPOs) for sites, domains, or OUs. To display the logo on every computer in the organization, you need to apply a global GPO.

5. Your network has a parent domain named stateuniversity.microsoft.com. You want to add a child domain named stateuniversity.expedia.com to form a tree. Can you arrange these domains in a tree? Why or why not?

   A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a contiguous namespace and a hierarchical naming structure. The parent domain stateuniversity.microsoft.com and the domain stateuniversity.expedia.com do not form a contiguous namespace. Therefore, you cannot arrange these domains in a tree.

Chapter 2 -- Introduction to Designing a Directory Services Infrastructure

Lab 2.1: Analyzing Business Environment

Exercise: Analyzing a Current Business Structure

Business Structures Worksheet

1. Diagram the administrative structure of your organization.

   

2. List and briefly describe the purpose of each division or department in the administrative structure. Where do these divisions report?

   The Administration department serves as the decision-making unit of the organization and carries out administrative functions. The Maintenance department is responsible for maintaining the company's aircraft. The Operations department is responsible for coordinating the components that keep the aircraft flying, such as scheduling food purveyors, baggage handlers, pilots and flight attendants, and purchasing fuel. The Sales department is responsible for advertising and selling seats on airline flights. The Maintenance, Operations, and Sales departments report to the Administration department.

3. Indicate the number of network users in each division of the administrative structure and the total number of network users in the organization.

   Users in each department: Administration (75), Maintenance (40), Operations (100), Sales (50). Total number of network users: 265.

4. Diagram the geographical structure of your organization.

   

5. List each administrative division and describe where it is located in the geographical structure.

   Administration: Butte, MT. Maintenance: Salt Lake City, UT. Operations: Reno, NV. Sales: Boise, ID, and Laramie, WY.

6. List the number of network users in each location.

   Butte, MT: 75. Salt Lake City, UT: 40. Reno, NV: 100. Boise, ID: 30. Laramie, WY: 20.

7. Describe how the network users in each department currently use the network.

   The Administration department uses the network for marketing, accounting, training, and IT functions. The Maintenance department uses the network to document their maintenance activities and to maintain parts inventories. The Operations department uses the network to coordinate the scheduling of food purveyors, baggage handlers, pilots and flight attendants, and purchasing fuel. The Sales department uses the system for ticketing and developing advertisements.

8. Add any special operations to your administrative structure diagram.

   There are no special operations at Vigor Airlines.

Review Questions

1. You are the manager of your organization's IT department. You assemble a design team that consists of a system administrator, a network administrator, a member of your help desk team, a systems trainer from the training department, and you. What pitfalls might you encounter with your current team?

   Because your team consists of four members of the IT department and only one member from outside the department, it is likely that your team will be unable to provide an accurate analysis of the entire organization. It is also likely that your team will be asked to redo your Active Directory infrastructure design because you have not involved any decision-making managers in your design team. By selecting members of the design team from the entire organization your team will be more effective.

2. You are a design team member and receive a completed business environment analysis document for review. When reviewing the business structure you notice that the diagram shown below is the only diagram included in that part of the analysis. What other diagrams should be included as part of the business structure analysis?

   

   The diagram included in the business structure analysis shows the geographical structure of the network. A diagram showing the administrative structure must also be included in the analysis. An organization's administrative structure represents the functions, divisions, departments, or positions within an organization and how they are related, including the organization's hierarchy and authority structure.

3. You have inventoried all the hardware devices used in your organization. What's the next step in conducting an analysis of hardware used in your organization?

   Compare your inventory with the list of Windows 2000 Server compatible hardware, available at http://www.microsoft.com/windows2000/upgrade/compat/default.asp.

Chapter 3 -- Creating a Forest Plan

Activity 3.1: Designing a Forest Model

Scenario: Adventure Works

1. List the advantages of using a multiple forest model for Adventure Works.

   The advantages of using a multiple forest model are

   • To allow the retail IT management department to continue managing only the retail operations.
   • To allow Adventure Works to keep users in the retail network from accessing corporate resources unless explicit one-way trusts were created.
2. List the disadvantages of using a multiple forest model for Adventure Works.

   The disadvantages of using a multiple forest model are

   • Multiple forests require the separate maintenance of corporate and retail network schema, configuration, global catalogs, security, explicit trusts, and domains.
   • Multiple forests do not allow for the creation of a single, company-wide schema and global catalog to meet senior management's goal of creating a single view of all products and systems.
   • Multiple forests do not provide retail employees with easy access to the corporate intranet and e-mail systems to meet management's goal of cultivating and recruiting employees from the retail stores for operations in the corporate office.
3. Which model would you choose and why?

   Use a single forest model. The benefits of the single forest model (lower maintenance, meeting senior management goals) easily outweigh allowing the retail IT management department to continue managing only the retail operations.

Lab 3.1: Creating a Forest Model and Schema Modification Plan

Exercise 1: Designing a Forest Model

Exercise Questions

1. List the advantages of using a multiple forest model for LitWare, Inc.

   The advantages of using a multiple forest model are

   • To allow the IT management departments to continue managing LitWare, Inc., and Lucerne Publishing separately.
   • To allow LitWare, Inc., to keep its users and users in Lucerne Publishing from accessing each other's resources unless explicit one-way trusts are created.
2. List the disadvantages of using a multiple forest model for LitWare, Inc.

   The disadvantages of using a multiple forest model are

   • Multiple forests require the separate maintenance of schema, configuration, global catalogs, security, explicit trusts, and domains.
   • Multiple forests do not allow for the creation of a single, company-wide schema and global catalog.
3. Would you use a single or a multiple forest model for Lit Ware, Inc.? Why?

   Use a multiple forest model. Because there are no initiatives to integrate the two businesses and it is likely that multiple schemas will be required, maintaining the businesses separately seems to be the best choice.

Exercise 2: Designing a Schema Modification Plan

Exercise Questions

1. What items should be included in a schema modification plan for LitWare, Inc.?

   The following items should be included in a schema modification plan for LitWare, Inc.: Modification description, modification justification, assessment of impact, complete description of the new schema object class, and written approval to test the modification from the schema modification approval committee.

2. Should the design team design a schema modification plan? Why or why not?

   The design team should not design a schema modification plan because it is likely that it is unnecessary. If the new inventory application is directory-enabled, it may automatically modify the schema, providing opportunities to handle the book title and ISBN without manually modifying the schema. You should examine all other alternatives before modifying the schema and you should be sure to test directory-enabled applications that modify the schema before installing them on the network.

Review Questions

1. What is the number of forests you should strive for? Why?

   Because Windows 2000 domains in a forest share a single schema, configuration container, and global catalog and are linked by two-way transitive trusts, you should strive to have only one forest for your organization.

2. Your organization is considering the implementation of four forests to handle business units that do not wish to work together. The decision makers do not realize the impact of multiple forests on users. What action should you take to assist the users?

   You should inform the decision makers how users are affected by multiple forests when logging on and when performing queries. In multiple forest scenarios, when users log on to a computer outside their own forest, they must specify the default UPN, which contains the full domain path for their user account, rather than just their easy-to-remember abstracted UPN. The default UPN is required because the domain controller in the forest will not be able to find the abstracted UPN in its global catalog. The user's abstracted UPN resides only in the global catalog in the user's forest. You should also inform the decision makers that to assist the users with queries, you will have to arrange for user training in making explicit queries across all of an organization's forests because the risk of users making incomplete or incorrect queries can affect how they perform their work.

3. Your organization has implemented two forests. A user in the Accounting domain in Forest 1 needs to access resources located in the Finance domain in Forest 2. However, you must not allow the Finance domain in Forest 2 to access the Accounting domain resources in Forest 1. What must you do to allow access to the resources?

   Domain administrators in both domains must configure an explicit one-way nontransitive trust between the Accounting and Finance domains. If the Finance domain trusts the Accounting domain, users in the Accounting domain can access resources in the Finance domain, but users in the Finance domain cannot access resources in the Accounting domain. Then, either domain administrator, with the correct permissions in both forests, must import the resource object into Forest 1 using the LDIFDE command-line tool. The resource object replicates to Forest 1's global catalog and the user can find the object by querying Forest 1's global catalog. Finally, the user can access the resource in Forest 2.

4. Why should you avoid changing the Active Directory schema?

   You should avoid changing the schema because the Active Directory schema contains hundreds of the most common object classes and attributes that users of a server system require. The need to change the schema is rare.

5. You added a schema class object and a set of schema attribute objects to your organization's schema to represent products made by one of the divisions in the organization. After one year, that organization is spun off and the attributes are no longer needed. What should you do?

   When schema class or attribute objects are added, they cannot be deleted if they are no longer needed. They can only be deactivated. You cannot deactivate the base schema, however; you can deactivate only schema that you have added.

6. Your organization has recently implemented Active Directory and currently has no plans to modify the schema. Why should you familiarize yourself with the base schema class and attribute objects?

   If you know the types of data that Active Directory will hold, you can more effectively determine whether to change the base schema in the future and whom the changes will affect.

Chapter 4 -- Creating a Domain Plan

Activity 4.1: Defining Domains

Scenario 1: Friendship Vineyards

1. On the network architecture diagram, use a triangle to indicate the location of the domain(s) you would define for Friendship Vineyards.

   

2. Explain your reasoning for defining the domain(s).

   Friendship Vineyards has no security requirements that cannot be handled within one domain. Although the company needs its administrators to apply group policies to the distribution personnel at all locations, the policies involve a user interface requirement, not a special administrative requirement. To satisfy the user interface requirement, administrators can apply policies to the distribution personnel at the OU level. A check of the network architecture diagram shows that all links are sound and there is no need to optimize replication. Since there are no requirements to preserve the existing Windows NT domains, Friendship Vineyards requires only one domain.

Scenario 2: Awesome Computers

1. On the network architecture diagram, use a triangle to indicate the location of the domain(s) you would define for Awesome Computers.

   

2. Explain your reasoning for defining the domain(s).

   Awesome Computers has password and account lockout security requirements at each regional office that cannot be handled within a domain. Therefore, the company needs to create a domain for each regional office. Because language settings are handled by clients in Windows 2000, there is no need to define domains based on language settings. Because of the legacy applications required in the Brazilian and Thai sales offices, each will require its own domain that must remain in mixed mode. Bits, Bytes & Chips, Inc., will also require its own domain to retain its presence on the Internet. Awesome Computers requires ten domains.

Activity 4.2: Defining a Root Domain, Defining a Domain Hierarchy, and Naming Domains

Scenario 1: Friendship Vineyards

1. On the network architecture diagram, draw a square around the domain you're defining as the forest root domain. Explain your reasoning for defining the forest root domain.

   Because the forest for Friendship Vineyards contains only one domain, the design team has designated the existing domain as the forest root domain.

2. Complete a domain hierarchy diagram for Friendship Vineyards.

   Because the forest for Friendship Vineyards contains only one domain, there is no domain hierarchy.

3. Name the forest root domain.

   Because Friendship Vineyards has a Web presence using the DNS name f-100times.com, the forest root domain will need a new DNS name to distinguish it from the existing Internet domain. Your design team named the forest root domain corp.f-100times.com. Answers may vary.

Scenario 2: Awesome Computers

1. On the network architecture diagram, draw a square around the domain you're defining as the forest root domain. Explain your reasoning for defining the forest root domain.

   The headquarters domain was selected as the forest root domain because it is the most critical to the operation of the organization and because IT decisions that affect the entire organization are handled by the Corporate IT Management department at headquarters. The design team did not feel it was necessary to create a dedicated forest root domain because headquarters is already serving as a separate administrative entity. However, the team realizes that it may still need to designate a dedicated domain and will revisit this issue later in the design process. The diagram below shows the forest root domain defined for Awesome Computers.

   

2. Complete a domain hierarchy diagram for Awesome Computers, including the forest root domain, the tree root domains, and the remaining subdomains. Indicate any cross-link trusts that may be necessary by a dotted line.

   There are two trees and tree root domains, one for Awesome Computers and one for Bits, Bytes & Chips, Inc. The tree root domain for the Awesome Computers tree is also the forest root domain. To accommodate the regional offices and optimize trust relationships, regional offices will be child domains of the forest root domain, and the sales office domains in Thailand and Brazil will be grandchild domains of their respective regional domains. To accommodate the Brazilian sales office's need to access engineering resources at the European location, a cross-link trust has been established between the two domains. There are no child subdomains for Bits, Bytes & Chips, Inc. The domain hierarchy diagram is shown in the following figure.

   

3. Name the domains in the domain hierarchy, including the forest root domain, the tree root domains, and the remaining subdomains.

   Because the organization already has an Internet presence using the DNS name a-100times.com, the forest root domain will be named corp.a-100times.com. The forest root domain is also the tree root domain for Awesome Computers. The tree root domain for Bits, Bytes & Chips, Inc., is named corp.b-100times.com. The child subdomains for Awesome Computers are named for each of the regional offices. The remaining grandchild subdomains are named for the corresponding sales offices. Answers may vary. The following figure shows the domain hierarchy diagram with domain names defined for Awesome Computers.

   

Lab 4.1: Creating a Domain Plan

Exercise: Creating a Domain Plan

Exercise Questions

1. On the network architecture diagram, use a triangle to indicate the location of the domain(s) you would define for Parnell Aerospace. Explain your reasoning for defining the domain(s).

   The following figure shows the domains defined for Parnell Aerospace. Answers may vary. Domains were defined for the following reasons:

   • A domain was defined at the Phoenix location to meet special legal defense contractor requirements for storing product development files.
   • A domain was defined at the Tokyo location to meet the special password and account lockout settings requirements.
   • A domain was defined at the Berlin location to comply with German administration laws.
   • A domain was defined at the Paris location to comply with French law.
   • A domain was defined at the Lakes & Sons Seattle location to allow Lakes & Sons to function independently and continue its own Web presence.
   • A domain was defined at the Lakes & Sons Minneapolis location because it can be reached from the Seattle location by SMTP mail only.
   • Domains were defined at the New York, London, and Rio de Janeiro locations because various links connected to these locations could not effectively handle replication traffic.

   

2. On the network architecture diagram, draw a square around the domain you're defining as the forest root domain. Explain your reasoning for defining the forest root domain.

   The previous figure shows the forest root domain defined for Parnell Aerospace. At the Phoenix headquarters, two separate departments handle IT management. One department handles IT management for the Phoenix office only, and the other handles IT management for the entire organization. The design team decided to add a dedicated domain as the forest root domain to separate the two IT management departments located in Phoenix and to reap the benefits of using a dedicated forest root domain. Answers may vary.

3. Complete a domain hierarchy diagram for Parnell Aerospace. Name the domains in the domain hierarchy.

   Because Parnell Aerospace has registered the DNS name p-100times.com and Lakes & Sons has registered the DNS name l-100times.com, the organization will need two trees in its Active Directory infrastructure. The forest root domain will also serve as the tree root domain for the Parnell Aerospace tree, while the domain at the Seattle location will serve as the tree root domain for the Lakes & Sons tree.

   Users at all locations must often access engineering resources at the Phoenix location. Although each regional office domain must then go through the root domain to access resources at the Phoenix headquarters, there is no need to use cross-link trusts in this scenario except for possibly the domain at the Minneapolis location. Your design team must determine whether traffic between Minneapolis and headquarters warrants a cross-link trust.

   Because the organization already has an Internet presence using the DNS names p-100times.com and l-100times.com, the Parnell Aerospace tree root and forest root domain will be named corp.p-100times.com. The Lakes & Sons tree root domain will be named corp.l-100times.com. The child subdomains are named for the regional offices using the codes as defined by ISO 3166.

   The domain hierarchy diagram and domain names for Parnell Aerospace are shown in the following figure. Answers may vary.

   

Review Questions

1. Your design team is defining domains for an organization. What are the four reasons for defining multiple domains?

   The four reasons for defining multiple domains are to meet security requirements, to meet administrative requirements, to optimize replication traffic, and to retain Windows NT domains.

2. Your design team is defining the forest root domain for an organization. What are the reasons for designating an existing domain as a forest root domain? What are the reasons for designating a dedicated domain as the forest root domain?

   The reasons for designating an existing domain as the forest root domain are

   • Your forest contains only one domain.
   • Your forest contains multiple domains and you can select the domain that is the most critical to the operation of your organization from one of them, but you have no desire to regulate membership in the Enterprise Admins and Schema Admins predefined universal groups in the forest root domain, create a small forest root domain for easier replication, or avoid obsolescence of the root domain name.

   The reasons for designating a dedicated domain as the forest root domain are

   • Your forest contains multiple domains and you cannot select the domain that is the most critical to the operation of your organization from one of them. The new domain will be dedicated to the operations associated with enterprise management and should not contain any user or many computer accounts.
   • Your forest contains multiple domains and you can select the domain that is the most critical to the operation of your organization from one of them, but you want to regulate membership in the Enterprise Admins and Schema Admins predefined universal groups in the forest root domain, create a small forest root domain for easier replication, or avoid obsolescence of the root domain name.
3. Your design team is defining the domain trees for an organization. What is the reason for designating more than one domain tree?

   Your team may need to define more than one domain tree if your organization has more than one DNS name.

4. Your design team is getting ready to create the w-100times.com forest root domain for Wingtip Toys. What should you do before creating the domain?

   You should be sure to register and receive verification for domain names before creating your Active Directory domain namespace. After you name your forest root domain you cannot change it and it is difficult to change other domain names.

5. Your design team is determining the existing DNS service used by an organization. What DNS services meet the DNS server requirements to support Active Directory? What DNS service allows you to use Active Directory-integrated zones?

   DNS BIND version 8.1.2 or later and Windows NT 4 DNS meet the DNS server requirements to support Active Directory.

   Although these DNS services are compatible with Active Directory, only the Windows 2000 DNS service allows you to use Active Directory-integrated zones, incremental zone transfer, and secure dynamic updates.

Chapter 5 -- Creating an Organizational Unit Plan

Activity 5.1: Defining OU Structures

Scenario: Arbor Shoes

1. Diagram the OU structures needed to delegate administration for the corp.a-100times.com domain. Explain your reasoning for defining each OU.

   Because each of the three locations has a small autonomous IT staff to handle support tasks, OUs were set up for San Francisco, Houston, and Boston. An administrative group at each location will have full control over its top-level OU. Because there are separate administrative groups at each location to handle the basic administration of users, the administration of computers, and the administration of resources, three second-level OUs were set up at each location for each top-level OU.

2. Diagram the OU structures needed to hide objects. Explain your reasoning for defining each OU.

   Arbor Shoes has no requirements for hiding objects.

3. Diagram the OU structures needed to administer group policy. Explain your reasoning for defining each OU.

   A GPO applied to the top-level OU at each location can meet the requirement of providing a specific logon and logoff script for all users at each location, except for users in the Finance department. An additional third-level OU must be defined for the Finance department in each location. Then, a separate GPO must be linked to each Finance department OU in order to provide the separate logon script for users in the Finance department at each location. In addition, Block Policy Inheritance must be set for each Finance department OU so the logoff script set for all users at each location is not inherited by the Finance department.

   The following figure shows the OU structures defined to delegate administration and to administer group policies for Arbor Shoes.

   

Activity 5.2: Planning User Accounts

Scenario: Dearing School of Fine Art

In the table below, place the new student accounts, by account name, in the appropriate OU.

Activity 5.3: Planning Groups

Scenario: The Ski Haus

1. Explain how your design team will use security groups to allow the Product Design users in each domain full control of the ski hat design databases in their domains.

   Set up a Denver Product Design global group and add the Denver Product Designer users to the group. Set up a Geneva Product Design global group and add the Geneva Product Designer users to the group. Then add the Denver Product Design global group to a Denver Product Design domain local group and add the Geneva Product Design global group to a Geneva Product Design domain local group. Grant full control permissions for the ski hat design database to each domain local group.

2. Explain how your design team will use security groups to allow the Product Design users in each domain read permission to the Denver and Geneva ski hat design databases.

   Set up a Denver domain local group that has read permission for the ski hat design database. Add the Geneva Product Design global group to the Denver domain local group. Set up a Geneva domain local group that has read permission for the ski hat design database. Then add the Denver Product Design global group to the Geneva domain local group.

3. Explain how your design team will use security groups to allow all Product Design users in both domains change permission to the ski sweater design database in Geneva.

   Set up a universal group. Set up a domain local group in the Geneva domain that has change permission for the ski sweater design database. Add the Geneva Product Design global group and the Denver Product Design global group to the universal group. Add the universal group to a domain local group in Geneva.

Lab 5.1: Defining an OU Structure and Security Groups

Exercise 5.1: Defining an OU Structure

Exercise Questions

1. Create an OU structure diagram for Uncle Bob's Root Beer that supports the needs indicated in the scenario.

   

   This diagram presents one possible answer. You may have named or planned your OU structure differently.

2. Complete the table below to document each OU in your design, the reason for creating it, and the users and computers that it contains.

   OU created	Reason created	Users and computers contained in the OU
   Melbourne	Provides delegation of administration to Melbourne IT management organization.	User and computer accounts for Melbourne regional office, except Production servers, HR servers, and Distribution users.
   Chicago	Provides delegation of administration to Chicago IT management organization.	User and computer accounts for Chicago regional office, except Production servers, HR servers, and Distribution users.
   Berlin	Provides delegation of administration to Berlin IT management organization.	User and computer accounts for Berlin regional office, except Production servers, HR servers, and Distribution users.
   New Delhi	Provides delegation of administration to New Delhi IT management organization.	User and computer accounts for New Delhi regional office, except Production servers, HR servers, and Distribution users.
   New Products	Provides delegation of administration to New Products IT management organization.	User and computer accounts for the New Products department.
   MelProd	Provides delegation of administration of server resources to the Melbourne Production department.	Melbourne Production servers.
   ChiProd	Provides delegation of administration of server resources to the Chicago Production department.	Chicago Production servers.
   BerlinProd	Provides delegation of administration of server resources to the Berlin Production department.	Berlin Production servers.
   NDProd	Provides delegation of administration of server resources to the New Delhi Production department.	New Delhi Production servers.
   MelHRSrv	Hides Melbourne HR servers.	Melbourne HR servers.
   ChiHRSrv	Hides Chicago HR servers.	Chicago HR servers.
   BerlinHRSrv	Hides Berlin HR servers	Berlin HR servers.
   NDHRSrv	Hides New Delhi HR servers.	New Delhi HR servers.
   MelDist	Applies distribution tracking tool using GPO.	Melbourne Distribution users.
   ChiDist	Applies distribution tracking tool using GPO.	Chicago Distribution users.
   BerlinDist	Applies distribution tracking tool using GPO.	Berlin Distribution users.
   NDDist	Applies distribution tracking tool using GPO.	New Delhi Distribution users.

   This table presents one possible answer. You may have named or planned your OU structure differently.

Exercise 5.2: Defining Groups

Exercise Questions

Complete the table below to document your security group design. Include the name of each security group, the group scope, and the members of the group. Also note whether the members are individuals or list group names if the members are groups.

This table presents one possible answer. You may have named or planned your group structure differently.

Review Questions

1. Your design team is getting ready to define OU structures for your organization's Active Directory infrastructure design. What are the three reasons for defining an OU? What is the primary reason?

   The three reasons for defining an OU are: to delegate administration, to hide objects, and to administer group policy. The primary reason for defining an OU is to delegate administration.

2. Your design team has defined an OU to delegate control of user objects. You have diagrammed the desired OU, diagrammed a security group, and listed the administrators who require control of the user object class in the group. You want to allow the OU to set its own membership. Where should the administrator group be placed?

   If the OU is allowed to set its own membership, place the administrator group inside the OU.

3. Your design team has defined a forest, domains, and OUs. Where should user accounts be placed?

   Place the user accounts in the OU administered by the administrative groups and GPOs that apply to the account.

4. Your design team is assigning users to groups. Which group scope is most often used to assign permissions to resources?

   Domain local security groups are most often used to assign permissions to resources.

5. Your organization is running Windows 2000 in native mode. The design team is adding users to groups. Why shouldn't the team add individual users to universal groups?

   You should avoid adding individual users to universal groups because when you update the membership of a universal group, the complete membership of the group is replicated to all global catalog servers in the forest, creating a large amount of network traffic. To ensure minimal impact on replication traffic, you should add global groups, not individual users, to universal groups and change the membership of universal groups as infrequently as possible.

Chapter 6 -- Creating a Site Topology Plan

Activity 6.1: Defining Sites and Placing Domain Controllers in Sites

Scenario: Ramona Publishing

1. Diagram the sites needed for Ramona Publishing. Explain your reasoning for defining each site.

   Sites were defined for the following reasons:

   • Each location has a high-speed backbone that connects a set of 10-100 Kbps LANs.
   • The San Juan location is connected to the Miami headquarters only by SMTP mail.

     

2. Place the domain controllers needed for Ramona Publishing. Explain your reasoning for placing each domain controller.

   The reasons for locating domain controllers in this manner are

   1. There is a one-to-one relationship between the following sites and domains:
      • Miami—hq.r-100times.com
      • Mexico City—mx.r-100times.com
      • Buenos Aires—sa.r-100times.com
      • San Juan—pr.r-100times.com
      • Madrid—eu.r-100times.com

        Therefore two domain controllers are placed in each of these sites.

   2. The Los Angeles and New York sites are both contained in the us.r-100times.com domain. To meet minimum requirements, one domain controller is placed in each site. To handle the relatively large number of users in the Los Angeles site, an additional domain controller is placed in the Los Angeles site.

      

Lab 6.1: Creating a Site Topology Plan

Exercise: Creating a Site Topology Plan

Exercise Questions

1. Begin your site topology diagram by indicating the sites needed for Fabrikam, Inc. Explain your reasoning for defining each site.

   Sites were defined for the following reasons:

   • Each location has a high-speed backbone that connects a set of 10-100 Kbps LANs.
   • The Sapporo location is connected to the Tokyo location by SMTP mail only.
2. Indicate the domain controllers needed for Fabrikam, Inc., on your site topology diagram. Explain your reasoning for placing each domain controller as you did.

   The reasons for locating domain controllers in this manner are

   There is a one-to-one relationship between the following sites and domains:

   • Sapporo—sp.north.corp.f-100times.com
   • Nagoya—hq.corp.f-100times.com
   • Fukuoka—fk.south.corp.f-100times.com

   Therefore two domain controllers are placed in each of these sites.

   The Tokyo, Yokohama, and Kawasaki sites are all contained in the north.corp.f-100times.com domain. To meet minimum requirements, one domain controller is placed in each site. To handle the relatively large number of users in the Tokyo site, an additional domain controller is placed in the Tokyo site.

   The Kyoto and Osaka sites are both contained in the south.corp. f-100times.com domain. To meet minimum requirements, one domain controller is placed in each site.

3. Indicate the site links needed for Fabrikam, Inc., on your site topology diagram. Name each site link by using the first two letters of each connected site name. Indicate the site link configurations for each site link in the table below.

   Site Link	Transport	Cost	Frequency	Availability
   Na-To	IP	25	15 min	always
   Na-Os	IP	25	15 min	always
   To-Os	IP	25	15 min	always
   To-Yo	IP	50	1 hr	2300 to 0500 daily
   To-Ka	IP	50	1 hr	2300 to 0500 daily
   Os-Ky	IP	50	1 hr	2300 to 0500 daily
   Os-Fu	IP	100	2 hr	2300 to 0500 daily
   To-Sa	SMTP	100	2 hr	2300 to 0500 daily

   Cost, frequency, and availability answers may vary. However, because there are three different intersite link speeds, your site link table should have at least three costs.

4. Indicate the location of global catalog servers and operations masters for Fabrikam, Inc., on your site topology diagram. Explain your reasoning for placing each global catalog server and operations master.

   The reasons for locating global catalog servers in this manner are

   • One global catalog server is placed in all sites to meet minimum requirements.
   • Because placing more global catalog servers in each site will increase replication traffic, no additional global catalog servers are placed.

   The reasons for locating operations masters in this manner are

   • Because each domain has more than one domain controller, one of the DC1s in each domain was chosen as the operations master domain controller. The standby operations master controller is DC2 in sites where DC2s exist.
   • Because each domain is not very large, both the relative identifier master and PDC emulator roles were assigned to the operations master domain controller.
   • Because the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog, it was assigned to a DC2 in each domain.
   • Because the schema master and the domain naming master roles should always be assigned to a domain controller designated as the global catalog server, and because their load is very light, the forest-wide roles were assigned to DC1s.

   

Review Questions

1. You are defining sites for an organization that has three sets of LANs, each connected by a T1 line. How many sites should you define?

   You should define a site for each LAN or set of LANs that are connected by a high-speed backbone or for a location that does not have direct connectivity to the rest of the network and is only reachable using SMTP mail. Because a T1 line is not a high-speed backbone, you should define three sites.

2. You have placed the minimum number of domain controllers into sites for your organization. What are the reasons for placing additional domain controllers into sites?

   The reasons for placing additional domain controllers into sites are as follows:

   • There are a large number of users in the site and the link to the site is slow or near capacity.
   • The link to the site is historically unreliable or only intermittently unavailable.
3. You are configuring site links and you want to set up a site link table for your site topology plan. What configuration information should you include in the table?

   A site link table should include the site link name, method of replication transport, site link cost, replication frequency, and replication availability for each site link.

4. Describe how Active Directory data is replicated between bridgehead servers during intersite replication. Then describe how Active Directory is replicated from the bridgehead server to other domain controllers within a site.

   Polling and pull replication are used between bridgehead servers during intersite replication. Pull replication is the most efficient for intersite replication because the destination domain controller knows which replication data to request. Notification and push replication are used for intrasite replication, when domain controllers are well connected and not restrained by site link schedules.

5. You are assigning the infrastructure master role to a domain controller that has been designated as the global catalog server. Explain why you should do this only under certain conditions and explain those conditions.

   The infrastructure master role should not be assigned to the domain controller that has been designated as the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, and so will never replicate any changes to the other domain controllers in the domain. If all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.

Chapter 7 -- Creating an Active Directory Implementation Plan

Lab 7.1: Planning a Windows NT 4 Directory Services Migration to Windows 2000 Active Directory

Exercise: Planning a Windows NT 4 Directory Services Migration to Windows 2000 Active Directory

Exercise Questions

1. What migration method(s) will you use to migrate to Windows 2000 Active Directory?

   Because the current Windows NT domain structure functions fairly well and the scenario mentions no special requirements for keeping the production environment running during the migration process, the domain upgrade method will be used to migrate the domains to Windows 2000.

   A dedicated root domain must be created in the Active Directory forest before the upgrade is performed. After the upgrade is performed, it will be necessary to consolidate the resource domains into OUs in the child domains.

2. List the steps you will take to plan the migration.

   Answers may vary, but should include the following:

   1. A recovery plan will be established.

   2. The domains to be upgraded are listed in order. The dedicated root domain will be established first in the Windows 2000 forest. Then the master domains, STOCKS and CASH, will be upgraded followed by the resource domains, PHOENIX, TUSCON, and ALBUQUERQUE.

   3. List the strategy for upgrading domain controllers in each domain. For each of the STOCKS, CASH, PHOENIX, TUSCON, and ALBUQUERQUE domains in order, the PDC will be upgraded followed by the BDC.

   4. Indicate when you plan to switch to native mode. The switch to native mode will be made when resource domains are consolidated into OUs and when administrators are satisfied with the results of the migration.

   5. List the present location of resources in Windows NT and the OUs to which the resources will be consolidated. Resources in each of the resource domains will be consolidated into the stocks.s-100times.com and cash.s-100times.com domains as determined by user needs.

   6. Indicate the trust relationships that must be set up in order for users outside of the forest to access resources when they are consolidated in the target OU. There are no users outside of the forest that need to access resources consolidated into OUs.

Review Questions

1. You are planning a Windows NT 4 Directory Services migration to Windows 2000 Active Directory. The current production environment cannot withstand any negative effects as a result of the migration process. What migration method should you use?

   Use the domain restructure method when the current production environment cannot withstand any negative effects as a result of the migration process.

2. Why should you use the domain restructure method if the production environment cannot withstand any negative effects as a result of the migration process?

   A domain restructure migrates the existing Windows NT environment into a pristine Windows 2000 forest using a nondestructive copy. A pristine forest is an ideal Windows 2000 forest that is isolated from the Windows NT production environment and that operates in native mode. Domain accounts exist in both Windows NT and Windows 2000, and the Windows NT environment is retained until it is ready to be decommissioned.

3. Your organization has just migrated to Windows 2000 Server and Exchange Server 5.5. You would like to propagate the user information in the Exchange Server directory service to your new Active Directory. What tool should you install to accomplish the synchronization, and where are the tool installation files located?

   To set up synchronization between Active Directory and Exchange Server 5.5, you must install the Active Directory Connector (ADC). The installation files for ADC are located on the Windows 2000 Server CD in the Valueadd\Msft\Mgmt\ADC folder.

4. Your organization is running Windows 2000 and has just acquired a small company that uses NDS. You would like to synchronize the directory information with Active Directory. What tool should you install to accomplish the synchronization, and where are the tool installation files located?

   To enable users of Novell directory services to implement synchronization, Microsoft developed Microsoft Directory Synchronization Services (MSDSS), which is included with Services for NetWare version 5 (SFNW5).