A Little Q&A

Exam 70-217 requires solid knowledge of Active Directory. Analyzing questions as well as answers (both right and wrong) can help prepare you for the task ahead.

The Implementing and Administering a Microsoft Windows 2000 Directory Services (i.e. Active Directory) Infrastructure exam is tough, requiring you to understand all the components of AD and what makes them tick. You'll be tested on everything from the logical structure of AD (forests, trees, domains, Organizational Units) and the physical components of AD (sites, site links, subnets, server objects), to AD migration issues and day-to-day troubleshooting and repair.

AD is touted by Microsoft as the next-generation directory service, and Microsoft knows that AD isn't very forgiving if poorly planned or implemented; therefore, it's going to be darn sure that MCSEs in the field are knowledgeable and ready to properly plan for, and deploy, Win2K AD domains. Let's analyze some sample questions and answers, to give you a taste of what's in store.

Question No.1
You manage your company's single Windows 2000 domain, consisting of a main office in the U.S. with regional offices in Africa and South America. Dedicated 256-Kbps lines connect the locations. To minimize logon authentication traffic across the slow links, you create a site for each office and configure the site links between the sites. Users from Africa and South America complain that logons are slow. Using Network Monitor, you discover that all logon traffic is sent exclusively to the domain controllers in the U.S. site. What should you do to correct this problem?

  1. Create a subnet object for each physical location and associate the subnets with the South America site. Move each domain controller's server object to the South America site.
  2. Create a subnet object for each physical location and associate each subnet with its respective site. Move each domain controller's server object to its respective site.
  3. Schedule replication to occur less frequently between the sites.
  4. Schedule replication to occur more frequently between the sites.

Question No.1 Analysis
To answer this question you must know how to optimize AD-related traffic across wide area network links. This can be done if you describe to AD what your physical network looks like and tell it when you want replication to occur. For this to work correctly you need to create/configure sites, site links and subnet objects. You also need to make sure your AD DCs are located in the appropriate sites.

A site is a collection of subnets that are connected to each other by LAN speed links. Subnets that are connected by WAN speed links should be in different sites. So you should create a site for South America branch office and then create a subnet object for each of the physical subnets at that location and place them into the South America site. You should also make sure that any DCs that physically reside on those subnets are placed in the South America site. That way, a client trying to log on at a computer in South America can query DNS for a nearby DC (in the same site). You would then, in turn, create a site for Africa and the U.S. and create and place subnet objects into the appropriate sites. Again, you would make sure that all U.S. domain controllers were placed in the U.S. site and Africa DCs in the Africa site.

Answer A is incorrect. If you place all the subnet objects and DCs for the entire domain in the South America site, all clients will think they are in South America. You'll experience the same problem currently occurring, only with a different site.

Answers C and D are wrong. Setting a schedule on a site link only affects AD replication traffic (changes sent between DCs). You can't schedule when a client performs logon authentication.

Answer B is correct. You forgot to create the subnet objects and place them in the appropriate sites.

Question No.2
You have been managing a Windows 2000 network for the last six months. During that time you have deleted numerous objects, but the NTDS.DIT file has not decreased in size. You want to reduce the size of the NTDS.DIT file. What should you do? (Choose two.)

  1. Run the Esentutl utility with the /d switch.
  2. Use the NTDSUtil utility to perform a non-authoritative restore.
  3. Restart the server in directory services restore mode. Log in as the local admin.
  4. Use the NTDSUtil utility to compress the database to another drive.
  5. Delete all the log files from the NTDS folder and restart the server.

Question No. 2 Analysis
AD will perform an online defragmentation of the AD database (NTDS.DIT) automatically; although this will increase database performance, it won't decrease the size of the NTDS.DIT file. To reduce the file size when defragging, you need to perform an offline defrag during which the AD database is purposely placed in an offline mode.

The first step in an offline defrag is to boot the DC into DS Restore Mode (one of the F8 options upon boot up). This forces the AD database to be offline and requires you to log on using an admin account that exists in the local SAM on the DC. If you thought the local SAM wasn't functional on a DC, you're partially correct. When the AD database is online, the local SAM is offline. When the AD database is offline, the local SAM is online, as you have to log on as someone if you want to perform repair options against the AD database.

After booting into DS Restore mode (essentially Safe Mode without AD), you can use a utility called NTDSUtil to perform most of the AD repair functions. One of those functions is to do a "COMPACT TO dir location" where dir location is a file system path of your choice. This will create a defragged version of the NTDS.DIT file in the destination directory. It's up to you to then take this defragged (and reduced in physical size) file and copy it to the \WINNT\NTDS\ directory, thereby overwriting the original fragmented NTDS.DIT file.

This is one of those Microsoft questions that can drive you crazy. If you perform an offline defrag with NTDSUtil, you'll notice another utility, Esentutl, is invoked to perform the actual defragmentation. Esentutl is a stand-alone executable that can be run independent of NTDSUtil and has a switch, the /d switch, that'll perform an offline defrag.

Now we're in a quandary: Is the second correct answer A or D? We know for certain that one of the correct answers is C, as you must be in DS Restore mode to do an offline defrag. This question is plenty ambiguous, and your guess as to the other correct choice is as good as mine. It could be answer A or D. At this point you have a 50-50 chance of guessing right. It's a shame Microsoft introduces this level of ambiguity into the Win2K exams. A question like this doesn't promote technical know-how, but rather your ability to discern what Microsoft would consider the best answer, even if it isn't clear to the rest of us.

Answer B is incorrect because you're not trying to restore data, but instead free up drive space from deleted data. Answer E is wrong because the log files are just that—separate files—and have no bearing on reducing the size of the AD database that's been changed over a six-month period.

Question No. 3
You manage a single Windows 2000 Native mode domain with five domain controllers. After an electrical storm and subsequent power outage, the first domain controller installed experiences a hardware meltdown and will not restart. After the power outage, users report that password changes do not take effect for several hours and, until then, they are not able to log on using their new passwords.

What should you do to correct this problem?

  1. Boot another domain controller in DS Restore mode and use the NTDSUtil utility to transfer the Infrastructure master role.
  2. Boot another domain controller in DS Restore mode and use the NTDSUtil utility to seize the Infrastructure master role.
  3. Boot another domain controller in DS Restore mode and use the NTDSUtil utility to transfer the PDC Emulator master role.
  4. Boot another domain controller in DS Restore mode and use the NTDSUtil utility to seize the PDC Emulator master role.

Question No. 3 Analysis
Here's an AD troubleshooting question. Let's see if we can break this down into essential components. One DC is dead, but four others are functional. Password changes are happening slowly. If AD is multi-master and all DCs can change the AD database, why would this be happening?

Think back to NT 4.0. Password changes could only be processed by the PDC, because it was the only DC that had Read/Write access to the database. If all the desktop computers in this Win2K domain were NT 4.0 computers, then none of them would be able to change their passwords if the DC that appears to them as the PDC (emulator) was down. But the scenario states that password changes are occurring, just slowly.

The operations master role of a PDC emulator does more than just masquerade as the PDC for legacy clients. It also performs an important function related to password changes for Win2K clients. Let's say DC1 was the PDC emulator. If you're bound to DC2 and make a password change, that change is replicated preferentially to DC1, the PDC emulator. That way, if later you're bound to a different DC that hasn't yet received your password change via AD replication from DC2-DC3, for example—you could still use your new password. DC3, if unable to authenticate you with your new password, will query the PDC emulator to see if it knows about a more up-to-date password for your account.

It also turns out that the very first DC installed into a Win2K domain assumes the role of PDC emulator. Since this was the DC that went belly up, we need to nominate some other DC to take over that role.

The question now is whether we transfer or seize the role. Since the original PDC emulator is dead, we can't peacefully transfer the role. We must seize the role instead. Answer D is correct.

Get Your Hands Dirty
A final word of caution—you must know how all the AD components, both logical and physical, interrelate to make AD work. You also need to be very fluent in the various methods for troubleshooting and repairing AD problems. You can learn what's required for passing this exam by spending some hands-on time with Win2K in an AD environment. By this point in the exam-taking process, you should already have a home or office Win2K lab set up. Play with AD in a single domain environment then branch out into a multiple domain environment. Microsoft has many good learning tools and resources, including the Win2K Resource Kit, which is especially helpful for understanding the ins and outs of AD. Regardless of your level of technical preparedness, be ready to face some tough questions on this exam.

Featured