Certified Mail: December 2001

Disputing death, deputies of morality, and what's up with the MCSD.

Duel to the Death Disputes

I read “Duel to the Death” in the October issue and had some problems with Alan Knowles’ article. Figure 2 shows a logical layout that doesn’t represent what he discussed. He mentions having root level and child domains, yet the ad.healthsys.org domain means that it’s a child under healthsys.org. The picture makes it appear as a root, as it’s raised in height; the lines meet at the top of domain, indicating they’re all of the same hierarchy. The words and the picture just don’t correlate. Knowles also mentions putting each region as its own domain for structuring “additional forest elements below the first level,” which means child domains. This information is incorrect; domain admins of child domains by default can’t add child domains under their domain. That’s a role for the enterprise admin. Yes, you can make every domain admin an enterprise admin, but that would be insane and defeat the purpose of the “security boundary” that defines the domain. This also prevents rogue admins from adding domains to the forest behind the IT director’s back.

Another suggestion he could have used was to take the BDC offline for rollback purposes. Because many companies don’t have “extra” BDCs to pull offline for a few months until everything works fine, I have an effective procedure. I take a spare hard drive and mirror the BDC, break the mirror, pull the drive out and put it on a shelf. It’s a lot more cost-effective; to roll back, you simply replace the drive.

In his “Lessons Learned” sidebar, the author mentioned an issue with getting DHCP to work after upgrading. DHCP servers don’t come up authorized when upgrading from NT 4.0. This is mentioned in the Microsoft Press book, Upgrading NT4.0 to 2000.
—Mark Mancini, MCSE+I, CCA, CCNA, Master CIW, CNE
Acworth, Georgia
[email protected]

It seems that some important points in the article were missed. I’m happy to cover these issues. First, I didn’t mention the terms “child domain” nor “root level” in the article. The diagram represents exactly the discussion. The use of the term “root domain” was used just as Microsoft and most others use the term for the first domain in the forest and the domain that contains the forest FSMO roles of Schema Master and Domain Naming Master. The diagram only has the ad.heatlhsys.org domain raised to illustrate that it’s the root domain and the “place holder” and “apolitical” center—both of which are mentioned clearly in the text body and in the text under the diagram. Many people are used to seeing the traditional hierarchical root-level/child-level diagrams, but in our case the more unique “peer-level” structure made the most technical and political (which shouldn’t be underestimated) sense. This “peer” structure was boldly labeled on the diagram. These aren’t only domains, but each is a separate tree as indicated by the use of the lines connecting from the top (bottom for domains only) of each triangle in the diagram. (Some may now argue that these aren’t separate trees because they occupy a contiguous DNS namespace. But when each region installs the first DC, they choose “new tree in existing forest,” so these are actually separate trees with the same DNS namespace.)

Second, each region is responsible for a tree. I didn’t state anything about the regional administrators being domain admins, nor did I say anything about making all domain admins members of the enterprise admins group. However, our enterprise admins group membership is made up of at least one person from each region (usually the same person who handles the MS-DNS/WINS). This is part of the discussion that took two days, mentioned at the beginning of the article. I won’t debate Microsoft’s AD domain security model here. There are pros and cons to each design choice. Our choice was to join a single forest for technical reasons and with the knowledge of the possible cross-regional adverse effects. All regions will have some input on the forest-wide and schema decisions, and each has technical representation with a member of the enterprise admins group.

Third, the BDC taken offline that we used was an old, out-of-warranty, low-end server. The idea was to introduce a “clean” server as a BDC and then take it offline. All of our production BDCs also serve some other function, so the reader’s drive-swapping idea wouldn’t have worked as cleanly for us. After a couple of weeks, it became obvious that there’d be no turning back because so many users had been added and changes made. This is a very short-term insurance policy.

Last, I think the reader missed the point of the comment about the non-working DHCP server. This was perhaps not the best example, but the point has nothing to do with the DHCP server itself. We needed to anticipate some problems and use these as opportunities to find a solution, not just resort to the blackout plan. By the way, an upgraded DHCP won’t come up authorized, but it’ll still work until the DHCP Admin tool is used to connect to that server after the upgrade! At least this has been our experience; perhaps some manuals state something else, but I’m always interested in what others have found.
—Alan Knowles

No Time to be a Morality Cop
Regarding Dian Schaffhauser’s column, “The Yuck Factor,” in the October issue, I don’t think the government has any idea what a day in the life of a computer person is like. I’m so busy with so many other fires, I may look at the Web filter for maybe 10 minutes every other day. To sit and monitor employees doesn’t make sense. What are those people in South Carolina thinking? Who am I to be a morality policeman? What extra anything would I get for my services? There aren’t enough hours in the day for me to do everything everyone needs done immediately. When I became the Web security officer, I was upset about what I found on other employees’ computers. I tried to change that, but the management at this huge medical enterprise (with religious overtones) took the fight out of me. Now I just make sure the server doesn’t crash.
—Michael Rife, MCSE, CCNA

An MCSD Course
I’m currently studying for my MCSD and was wondering about a few things. First, how long will the certification be valid with the .NET versions coming out? Second, are there .NET (VB.NET, to be exact) certifications out there already (even beta tests)? Finally, is it worth studying for the present MCSD tests or should I just waiting for the .NET tests to be released?
—Damone Autry
Las Vegas, Nevada
[email protected]

We don’t know yet what Microsoft plans regarding retirement of the current MCSD exams. As it hasn’t announced retirement dates for those tests, we can guess that it’ll keep it around for at least a couple of years (until the post-.NET exams come out). Regarding availability of .NET exams, nothing out yet. We expect to start seeing those in the first quarter of 2002. When it comes to what tests to go after, it makes sense to test on what you’ve been working with. If it’s the current revision of Visual Basic, for instance, then tackle the current set of tests for VB. You’ll be able to mix and match exams between the current tests and the .NET editions of the tests. That means either generation of exams will work for you to achieve your MCSD.

Unqualified Interviewers
Greg Neilson’s article on interviewing in “Professionally Speaking,” in the September issue, hit the nail on the head. I recently had an interview. The person interviewing me wasn’t prepared to give me a technical interview. He asked me vague questions about ODBC errors, gave me scenario questions about a network problem that didn’t make sense, and so on.

While I was trying to answer his question, he interrupted me to change the question. I’ve been a certified engineer in this field for several years and it’s just crazy that the people you’re trying to impress aren’t prepared themselves.
—Earl Brown, MCP+I
Jersey City, New Jersey
[email protected]

Thanks for your comments. I’m glad you enjoyed the article. One of the tips I picked up on my interviewing course that I didn’t have room to mention was that if an interviewee spends a lot of space in their resume describing a project, then this is clearly something they’re very proud of and will be wanting to talk about in an interview. Even if it appears at first that this project may not be closely related to the position you’re hiring for, you might learn some things of interest about the interviewee by discussing that project.
—Greg Neilson

Control Your Installations

I have an issue with a statement made in Roberta Bragg's column, "Risky Business," in the September issue. In item three of the "Incoming Wounded" section, Roberta states, "IIS is installed by default." While this is true if you allow the installation routines to choose the services/features for you, what system administrator worth his or her salt allows this behavior? Windows in general and Windows 2000 (and XP) especially allow an incredible amount of control over the installation and configuration of Windows—not only after, but during installation. Yes, there are those that just let the setup make up their minds for them, but to them I say, "You get what you don't ask for."
—Jim Harrison, MCP(2K), A+, Network+, PCG
Redmond, Washington
[email protected]

I agree 100 percent. An admin should know to uncheck that box. However, apparently, a lot of them don't. (Consider Code Red.) Indeed, it's the "default configuration," just like the fax service, Notepad, WordPad, pinball games, and so on, all of which there really is no need for on a server. In fact, proper training and proper vetting of admins will reduce the risk of running any operating system.

OK, challenge time: How many of you out there strip Win2K or Windows NT every time you install it? I don't just mean unchecking IIS, but also removing extraneous services, utilities and games; disabling services that aren't needed but can't easily be removed (like Dfs on a server where it won't be used); removing unnecessary certificates from enterprise trusts; hardening with security templates, and so on? I'm assuming the readership here has a higher concentration of admins that do some of this, but I'm willing to bet a lot of you don't go very far down this road. Let me know what you do at installation!
—Roberta Bragg
[email protected]

Frustration Down Under?
In Australia on January 2001 there were 10,000-plus MCSEs. In August 2001, there were only 236 Windows 2000 MCSEs! Do you think the Aussies are sending a message that Microsoft has mucked up the program?
—Ron Dale
[email protected]

About Those New Certifications
I think the decision to introduce a "middle" certification (between MCP and MCSE) is a mistake. Two were plenty, with an introductory one (MCP) and an advanced one (MCSE). This will only flood the market with various certifications, making it difficult to distinguish between them all, ultimately reducing the worth of the highest level.

This program is on the way down. They should never retire certifications, just give them new titles; in other words, you could be an NT 4.0 MCSE forever and become a Windows 2000 MCSE by taking some refresher tests. This would make for a better program and better participants. What Microsoft is going to be left with is very few true Win2K MCSEs, which will ultimately reduce the quantity of deployments of their software.
—Russel G. Hodge
Niceville, Florida
[email protected]

I don't know what these new in-between MCP and MCSE certs are called, but having one (not two) in between seems like a good idea, especially since the difference between the MCP and MCSE titles is so great. You could pass six exams and still be an MCP! Do you know what the new certs are going to be called, by chance?
—David Jackson
Tampa, Florida
[email protected]

For more details, more details, read "MCSA Gets New Exam" in this month's News.

MCP Simply Won't Do
The reason I have an "all or nothing" approach to obtaining my Windows 2000 MCSE by the end of the year is twofold. First, MCSE is the certification mentioned in the want ads, not MCP. Second, the NT 4.0 MCP certs I obtained in 2000 weren't worth the effort of noting on my resume.

These hard-won certifications have increased neither the quantity of my interviews, nor the number of full-time permanent IT employment offers, which as of this date stands at zero. Based upon this performance by the IT industry and human resources professionals employed therein, I can't help but conclude that "just a couple of Win2K certs" will be treated any differently.

Since I've invested one year and $6,000 in a year-long instructor-led NT/Win2K certification course, I'm forced to recoup this investment somehow. The only somehow I can see is by obtaining my MCSE certification and getting a high-paying job in the IT industry thereafter.
—Loel H. Larzelere, MCP
Grove City, Ohio
[email protected]

Twenty-five Tests and Counting
I've just passed my 25th Microsoft exam (70-227) and I was wondering where I stand in the certification stakes. Who has passed the largest number of exams, and how many have they passed?
—Paul Eddington
Perth, Western Australia
[email protected]

Featured