A Little Q&A
Exam 70-217 requires solid knowledge of Active Directory. Analyzing questions as well as answers (both right and wrong) can help prepare you for the task ahead.
- By James Carrion
- October 01, 2001
The Implementing and Administering a Microsoft
Windows 2000 Directory Services (i.e. Active Directory)
Infrastructure exam is tough, requiring you to
understand all the components of AD and what makes
them tick. You'll be tested on everything from
the logical structure of AD (forests, trees, domains,
Organizational Units) and the physical components
of AD (sites, site links, subnets, server objects),
to AD migration issues and day-to-day troubleshooting
and repair.
AD is touted by Microsoft as the next-generation
directory service, and Microsoft knows that AD
isn't very forgiving if poorly planned or implemented;
therefore, it's going to be darn sure that MCSEs
in the field are knowledgeable and ready to properly
plan for, and deploy, Win2K AD domains. Let's
analyze some sample questions and answers, to
give you a taste of what's in store.
Question No.1
You manage your company's single Windows
2000 domain, consisting of a main office in the
U.S. with regional offices in Africa and South
America. Dedicated 256-Kbps lines connect the
locations. To minimize logon authentication traffic
across the slow links, you create a site for each
office and configure the site links between the
sites. Users from Africa and South America complain
that logons are slow. Using Network Monitor, you
discover that all logon traffic is sent exclusively
to the domain controllers in the U.S. site. What
should you do to correct this problem?
- Create a subnet object for each physical location
and associate the subnets with the South America
site. Move each domain controller's server object
to the South America site.
- Create a subnet object for each physical location
and associate each subnet with its respective
site. Move each domain controller's server object
to its respective site.
- Schedule replication to occur less frequently
between the sites.
- Schedule replication to occur more frequently
between the sites.
Question No.1 Analysis
To answer this question you must know how
to optimize AD-related traffic across wide area
network links. This can be done if you describe
to AD what your physical network looks like and
tell it when you want replication to occur. For
this to work correctly you need to create/configure
sites, site links and subnet objects. You also
need to make sure your AD DCs are located in the
appropriate sites.
A site is a collection of subnets that are connected
to each other by LAN speed links. Subnets that
are connected by WAN speed links should be in
different sites. So you should create a site for
South America branch office and then create a
subnet object for each of the physical subnets
at that location and place them into the South
America site. You should also make sure that any
DCs that physically reside on those subnets are
placed in the South America site. That way, a
client trying to log on at a computer in South
America can query DNS for a nearby DC (in the
same site). You would then, in turn, create a
site for Africa and the U.S. and create and place
subnet objects into the appropriate sites. Again,
you would make sure that all U.S. domain controllers
were placed in the U.S. site and Africa DCs in
the Africa site.
Answer A is incorrect. If you place all the subnet
objects and DCs for the entire domain in the South
America site, all clients will think they are
in South America. You'll experience the same problem
currently occurring, only with a different site.
Answers C and D are wrong. Setting a schedule
on a site link only affects AD replication traffic
(changes sent between DCs). You can't schedule
when a client performs logon authentication.
Answer B is correct. You forgot to create the
subnet objects and place them in the appropriate
sites.
Question No.2
You have been managing a Windows 2000
network for the last six months. During that time
you have deleted numerous objects, but the NTDS.DIT
file has not decreased in size. You want to reduce
the size of the NTDS.DIT file. What should you
do? (Choose two.)
- Run the Esentutl utility with the /d switch.
- Use the NTDSUtil utility to perform a non-authoritative
restore.
- Restart the server in directory services restore
mode. Log in as the local admin.
- Use the NTDSUtil utility to compress the database
to another drive.
- Delete all the log files from the NTDS folder
and restart the server.
Question No. 2 Analysis
AD will perform an online defragmentation
of the AD database (NTDS.DIT) automatically; although
this will increase database performance, it won't
decrease the size of the NTDS.DIT file. To reduce
the file size when defragging, you need to perform
an offline defrag during which the AD database
is purposely placed in an offline mode.
The first step in an offline defrag is to boot
the DC into DS Restore Mode (one of the F8 options
upon boot up). This forces the AD database to
be offline and requires you to log on using an
admin account that exists in the local SAM on
the DC. If you thought the local SAM wasn't functional
on a DC, you're partially correct. When the AD
database is online, the local SAM is offline.
When the AD database is offline, the local SAM
is online, as you have to log on as someone if
you want to perform repair options against the
AD database.
After booting into DS Restore mode (essentially
Safe Mode without AD), you can use a utility called
NTDSUtil to perform most of the AD repair functions.
One of those functions is to do a "COMPACT TO
dir location" where dir location is a file system
path of your choice. This will create a defragged
version of the NTDS.DIT file in the destination
directory. It's up to you to then take this defragged
(and reduced in physical size) file and copy it
to the \WINNT\NTDS\ directory, thereby overwriting
the original fragmented NTDS.DIT file.
This is one of those Microsoft questions that
can drive you crazy. If you perform an offline
defrag with NTDSUtil, you'll notice another utility,
Esentutl, is invoked to perform the actual defragmentation.
Esentutl is a stand-alone executable that can
be run independent of NTDSUtil and has a switch,
the /d switch, that'll perform an offline defrag.
Now we're in a quandary: Is the second correct
answer A or D? We know for certain that one of
the correct answers is C, as you must be in DS
Restore mode to do an offline defrag. This question
is plenty ambiguous, and your guess as to the
other correct choice is as good as mine. It could
be answer A or D. At this point you have a 50-50
chance of guessing right. It's a shame Microsoft
introduces this level of ambiguity into the Win2K
exams. A question like this doesn't promote technical
know-how, but rather your ability to discern what
Microsoft would consider the best answer, even
if it isn't clear to the rest of us.
Answer B is incorrect because you're not trying
to restore data, but instead free up drive space
from deleted data. Answer E is wrong because the
log files are just that—separate files—and
have no bearing on reducing the size of the AD
database that's been changed over a six-month
period.
Question No. 3
You manage a single Windows 2000 Native
mode domain with five domain controllers. After
an electrical storm and subsequent power outage,
the first domain controller installed experiences
a hardware meltdown and will not restart. After
the power outage, users report that password changes
do not take effect for several hours and, until
then, they are not able to log on using their
new passwords.
What should you do to correct this problem?
- Boot another domain controller in DS Restore
mode and use the NTDSUtil utility to transfer
the Infrastructure master role.
- Boot another domain controller in DS Restore
mode and use the NTDSUtil utility to seize the
Infrastructure master role.
- Boot another domain controller in DS Restore
mode and use the NTDSUtil utility to transfer
the PDC Emulator master role.
- Boot another domain controller in DS Restore
mode and use the NTDSUtil utility to seize the
PDC Emulator master role.
Question No. 3 Analysis
Here's an AD troubleshooting question.
Let's see if we can break this down into essential
components. One DC is dead, but four others are
functional. Password changes are happening slowly.
If AD is multi-master and all DCs can change the
AD database, why would this be happening?
Think back to NT 4.0. Password changes could
only be processed by the PDC, because it was the
only DC that had Read/Write access to the database.
If all the desktop computers in this Win2K domain
were NT 4.0 computers, then none of them would
be able to change their passwords if the DC that
appears to them as the PDC (emulator) was down.
But the scenario states that password changes
are occurring, just slowly.
The operations master role of a PDC emulator
does more than just masquerade as the PDC for
legacy clients. It also performs an important
function related to password changes for Win2K
clients. Let's say DC1 was the PDC emulator. If
you're bound to DC2 and make a password change,
that change is replicated preferentially to DC1,
the PDC emulator. That way, if later you're bound
to a different DC that hasn't yet received your
password change via AD replication from DC2-DC3,
for example—you could still use your new
password. DC3, if unable to authenticate you with
your new password, will query the PDC emulator
to see if it knows about a more up-to-date password
for your account.
It also turns out that the very first DC installed
into a Win2K domain assumes the role of PDC emulator.
Since this was the DC that went belly up, we need
to nominate some other DC to take over that role.
The question now is whether we transfer or seize
the role. Since the original PDC emulator is dead,
we can't peacefully transfer the role. We must
seize the role instead. Answer D is correct.
Get Your Hands Dirty
A final word of caution—you must know
how all the AD components, both logical and physical,
interrelate to make AD work. You also need to
be very fluent in the various methods for troubleshooting
and repairing AD problems. You can learn what's
required for passing this exam by spending some
hands-on time with Win2K in an AD environment.
By this point in the exam-taking process, you
should already have a home or office Win2K lab
set up. Play with AD in a single domain environment
then branch out into a multiple domain environment.
Microsoft has many good learning tools and resources,
including the Win2K Resource Kit, which is especially
helpful for understanding the ins and outs of
AD. Regardless of your level of technical preparedness,
be ready to face some tough questions on this
exam.