Login    Password        Sign Up   Forgot Password
Tuesday, June 28, 2022


Site Search



 Core Papers
Elective Papers
Non-Retiring NT4
Upgrading NT4 to 




MCSD Cert.
Cisco Cert. 
The Work 
Areas of Work 
Career Prospects 


Govt. Exams

Exam 70-219 - Designing a Windows 2000 Directory Services Infrastructure

Analyzing Business Requirements

It is important to identify the business model in place for a number of reasons. Key among them is the fact that similar businesses often have similar needs and requirements. Knowing the geographic scope can help define the infrastructure employed by the IT department. The geographic models and scopes can be summarized as




When implementing technologies that are within companies restricted to regional boundaries, you can often pay less attention to such things as international translations than you would with different models.


Of a grander scale than regional, you can still often overlook many factors such as international regulations


Importance must be paid to translations, regulations, laws, and representatives from all countries should be involved in IT decision-making processes


When working with a subsidiary of a larger conglomerate, make certain that approval for the solution generated will be acceptable to the parent company

Branch office

You must go to lengths to verify that solutions implemented here work with technologies employed throughout the rest of the company

During the design phase, it is important to ask such questions as

  • Who is in charge of each department?

  • Who manages user accounts (are central polices used)?

  • Who manages resource accounts?

  • How is administration divided?

  • Who must sign-off on purchases and policies?


All processes employed by the company should be documented and diagrammed. Of key importance are company processes related to



Information flow

This typically follows the organization chart, but can differ with geographic breaks

Communication flow

It differs from information in that it often lacks formal structure and comes about as a result of communication with others (customers, vendors, etc.)

Service/Product lifecycles

Consider the lifespan of the product: this differs for each product. A computer book may be expected to last 12 months, while a weekly magazine has a lifespan on only 1/52nd of that.


This can follow the organizational chart, or be completely dispersed if the company practices empowerment.


It is important to analyze existing and planned organizational structures when deciding business requirements. These categories can break down into the following key areas

  • Management model - determine if you are dealing with a family-owned, privately held business, or a public company with a CEO and Board of Directors. In the latter, operation and ownership become separate, and can be driven by the need for profit and quick solutions versus long-term planning. Different risk models can be associated with different management models.

  • Company organization - some organizations are divided by products (transmissions in one division, four-wheel-drive axles in another, etc.), while other organizations divide operations and responsibilities purely on geographic terms.

  • Vendor/partner/customer relationships - know the contact points and whether web presence is offered on an Internet, intranet, and/or extranet basis.

  • Acquisition plans - is the company you are designing a solution for actively seeking acquisitions (meaning you must plan for future growth), or are they a likely acquisition target?


Factors that can influence company strategies are many. For the exam, you should know the following five

  1. Company priorities - never assume these are constant. They can change with management teams, market shifts, etc.

  2. Projected growth and growth strategy - how is expansion accomplished (acquisition, divestiture, franchises, and so on)

  3. Relevant laws and regulations - these are always subject to change, and must be watched carefully. Is the company in a high-profile position (such as house arrest) to be greatly affected by new legislation? Do they work with encryption, spamming, or other areas popular with lawmakers? Are there local laws, or international laws, that can affect the organization?

  4. Company's tolerance for risk - how does the company weigh risk against profit: vulnerability against value? Do they employ basic security devices on sites, such as firewalls, SSL (Secure Sockets Layer), and such? Do they employ physical security at the facility such as card readers, badges, and the like? Do they insist new employees receive training, or are they turned loose for on-the-job training in all instances?

  5. Total cots of operations - what is the value of the company's data; of the IT staff's budget; of having server access 24 hours a day versus 8, etc.? Microsoft uses seven categories to group budgeted costs: Hardware and software costs, Management costs, Development costs, Support costs, Communication costs, End-user costs, and Downtime costs.


The structure of IT management should weigh heavily in the analysis of business requirements. Factors that help understand the management structure are shown in the following table

IT Factors


Administration type

This can be centralized or decentralized. A classic example of the former would be a segment of government such as HUD or OSHA. All administrators are stationed in Washington, D.C., while branch offices exist throughout the United States. Whenever a branch office needs administration, such as installing new software, it is done remotely (often through SMS). With a decentralized model, an administrator(s) is stationed at each branch office to handle the needs at that office. Hybrid administration has most of the functions performed at a central location, but one or more key contact people are on site for handling lesser responsibilities.

Funding model

Funding can be crucial in implementing technologies. If the IT department is run as a profit center, then departments they administer are charged for services provided: this can be useful in acquiring new software and distributing the cost among many departments who can benefit from it. If the IT department is run as a cost center - a fixed cost that appears as a liability on the business sheets, then it can be more difficult to gain approval to spend additional dollars beyond those already allotted for a set time period.


Outsourcing is often used because certain needs must be met that cannot be done internally. These can include the need for IT professionals in a tight labor market, the need for occasional service at branch offices, international/temporary needs, and so on. While outsourcing is a good way to solve such issues, it can present problems down the road when you cannot find the group who implemented a solution because they have moved on, and the solution now has problems.

Decision-making process

Does the Chief Technology Officer need to approve all expenditures, or can they be signed-off on at a lower level. Does the CTO need to approve all solutions, or does he/she make certain that the solution one department generates is adopted by other departments? Is there autonomy within the divisions, or do they work together to contribute to decisions that affect all?

Change management

Is there a structure in place or not? When changes occur, what is the procedure followed? If there is no procedure, chaos can result. If there is too much of a procedure, no change will ever occur.

Analyzing Technical Requirements

When evaluating the company's technical environment, always factor in the existing as well as the planned environment, and differences between the two. Be sure to look at the following factors

Technical Factors


Company size

The geographic scope as well as the owner or organization responsible for the company

User and resource distribution

Where are the users - how are the serviced (DNS, WINS, DHCP, etc.)? How do they reach the resources (servers, printers, and such) they need (hubs, switches, routers, bridges, modems, proxy servers...)

Connectivity between sites

What bandwidth is employed? Are there leased lines, or dial-up connections (with or without multilink see KB# QB235610))? What are the topologies employed (Star versus Mesh)?

Performance requirements

Are users connecting only for authentication, or for the entire session (such as with Terminal Server). Find out the peak utilization, the type of circuits used, requirements of applications, and so on. During this analysis, it is important to identify any bottlenecks and create a baseline from which to judge future modifications.

Access patterns

Are all the resources centralized, or are they disbursed? When users need to access a resource, is it within their LAN 80% of the time, or only 20% (meaning they access the WAN 80% of the time)? Do users go through firewalls, and/or do they use encryption. If they do use encryption, is it for the password, the data or both? Authentication can be accomplished through the use of the following, which may be used in conjunction with one another (KB #Q227815)

  • CHAP - Challenge Handshake Authentication Protocol - one-step above PAP in that it does not use clear-text passwords

  • EAP- Extensible Authentication Protocol - the client and the server negotiate the protocol that will be used, in much the same way that networking protocols are determined. Possible choices include one-time passwords, username/password combinations, or access tokens.

  • MS-CHAP - Microsoft Challenge Handshake Authentication Protocol - requires the client to be using a Microsoft operating system (version 2), or a small handful of other compatible OSes (version 1)

  • PAP - Password Authentication Protocol - uses a plain-text password authentication method and should only be used if the clients you support cannot handle encryption

  • SPAP - Shiva Password Authentication Protocol - a shade above PAP, it is there for backward-compatibility and is not favored for new installations

Network roles and responsibilities

Roles can be defined as administrative, or associated with a user, a service or other. Administrative roles are those predefined by the operating system with additional responsibilities above a user. Examples include

  • Administrator

  • Backup operator

  • Server operator

User roles simply have the right to logon and use the network resources. Service roles run as services, without user interaction, in the operating system. Other roles include being an application, a group, or owner.

Security Considerations

What are the needs of the organization, and what operating systems does the organization support? Can everything standardize upon TCP/IP (which offers the ability to use numerous security features like IPSec and filters), or must NetBEUI (insecure) be used, along with NWLink (IPX/SPX-compatible transport - (KB# Q203051) and other protocols)? Is it possible to use Kerberos, RADIUS, and EFS (Encrypting File System)? Must all solutions work with third-party tools? The most effective means of implementing security with Windows 2000 clients is through the use of Group Policies.

Speeds employed on WANs differ by technologies. The most common technologies, and their associated speeds, are

  • Modems including analog, ISDN, DSL, and cable


Traditional modem – requires a single phone line for a connection and is limited in speed to around 57,600bps


Integrated Services Digital Network, requires two phone lines, and can reach a speed around 128,000bps


Digital Subscriber Line, uses existing phone lines (copper), and is available only in certain areas. You must be within a short distance of a switching station, and speeds can reach 9Mbps


Works with the coaxial from the cable TV company and speeds is reduced with the number of users, but is approximately 2Mbps

  • Leased lines


a T1 is a dedicated line that operates across 24 channels at 1.544Mbps. E1 is the European counterpart: it uses 32 channels and can run at 2.048Mbps


A T3 is a dedicated line of 672 channels (E3 is the European counterpart) able to run at speeds of 43Mbps

When deciding to implement Active Directory of an existing or planned network, it is important to detail the possible impact of so doing. The impact should be calculated in terms of

  • Existing systems and applications - for example, current DNS servers will need to support SRV records

  • Existing and planned upgrades and rollouts - identify those that are in the works and calculate any impact AD could have on them

  • Technical Support structure - know what is there now (internal versus external), and make certain they will understand any changes that will happened before they happen. Verify that there is a budget for any training that needs to be done and that all relevant decision-makers are in agreement on the need to support the existing support staff

  • Existing and planned network and systems management - this should be viewed in terms of the security policy, any and all network tools used for management, monitoring, and analysis

  • Client needs - not only their work needs, but also their support requirements.


Designing a Directory Service Architecture

Active Directory is a naming scheme that follows the path Forest, Tree(s), Domains (see Active Directory Architecture). A forest can consist of a single domain, or multiple domains (therefore, by definition, a single domain can also be a tree). A tree is a contiguous namespace, meaning the child has the parent as part of its name. Each tree has its own identity within the forest.


A domain is an administrative as well as security boundary since administrative privileges do not extend past domain boundaries. The simplest network is one with one domain. Reasons for creating additional domains would include

  • To isolate replication traffic

  • To retain existing NT domain structures

  • To support decentralized administration

  • To support international boundaries

  • To support more than one domain policy


Domains contain objects, or Organizational Units (OUs). An OU is a container for organizing objects within a domain into logical sub-groupings. Reasons for creating OUs include

Active Directory names are equivalent to DNS names and use the SRV records of DNS to store information about services and thus create "dynamic DNS". The first division of DNS is into domains. The InterNIC (Internet Network Information Center) controls top-level domains, which are summarized in the following table


Type of Organization


Commercial organizations


Educational institutions


Non-profit organizations


Networks (the backbone of the Internet)


Non-military government organizations


Military government organizations


Phone numbers


Reverse DNS


Two-letter country code, such a "ca" for Canada, "uk" for United Kingdom, etc.

To refer to a host in a domain, you use a fully qualified domain name (FQDN). The Relative Distinguished Name is the host name of the computer, while the User Principal Name consists of a user logon name and a domain name identifying the domain in which the user account is located.

Windows 2000 uses a multi-master replication model, and the primary unit of replication is the domain. When domain controllers need to replicate, they examine the values of their Update Sequence Number (USN) for each object, and only replicate the attributes whose objects contain differing USN’s. A site (comprised of one or more physical subnets) is a way to create replication boundaries within the Active Directory. Working at the physical layer, a site can consist of multiple domains, and domains can operate in multiple sites.

The purpose of the Knowledge Consistency Checker (KCC) is to generate a replication topology for both intra-site and inter-site replication. Within a site, replication traffic is done via Remote Procedure Calls over IP, while between sites it is done through either RPC or SMTP (see "How to Optimize Active Directory Replication in a Large Network", KB# Q244368)

Site link bridges are used to connect sites together and model the routing behavior of a network.

There is only one schema per Windows 2000 forest, and it is maintained forest-wide by virtue of being stored on every domain controller. Throughout the forest, though, there is only one write-able copy of the schema – held by the Schema Operations Master. Modifying the schema is an irreversible operation, thus schema modification is disabled by default on all domain controllers and only members of the Schema Admins group can make changes.

The schema container holds all the definitions required to view the objects in the directory, and each is identified by a globally unique number known as the Object Identifier (OID). You can view Schema contents using the Active Directory Schema MMC snap-in, or the ADSIedit MMC utility.


Designing Service Locations

There are five Operations Master roles

  1. *Domain Naming Master - allows additions and removals of domains in the forest

  2. Infrastructure Master - updates group-to-user references when changes occur

  3. PDC Emulator - used with older clients

  4. RID Master - Relative ID Master - issues IDs to domain controllers as needed

  5. *Schema Master - controls all updates to the schema

Operations Master placement (see KB# Q223346) is crucial to load balancing and fault tolerance. It is also important to convert domain controllers to native mode (non-Windows NT 4.0) enhance Active Directory Performance. The two roles identified by an asterisk are limited to only one controller within the forest, while the other three are per domain roles.

Global Catalog Servers (see KB# Q232517) should be placed in locations to reduce traffic and help with load balancing and fault tolerance, as well. The first Global Catalog Server is created automatically with the first domain controller within the forest. Active Directory Sites and Services - an MMC snap-in (see Step-by-Step Guide to Active Directory Sites and Services) - allows you to change the role of the GCS to another domain controller. In areas where bandwidth is at a premium, a GCS can be configured to only receive updates after hours. For speed reasons, a GCS should be created at each site.

Domain controllers should be created for fault tolerance and functionality, as needed. It is recommended that the infrastructure master be placed on a domain controller that is not the global catalog server to even the load and separate the burden of each role.

DNS servers can be running Windows 2000, or other operating systems, provided they accept SRV records. When you install Active Directory, you must identify a DNS server. If you cannot do so, the Active Directory Installation Wizard will prompt you to convert the existing machine into a DNS server as well.

Active Directory is created to be scalable and interoperate with other name services (see Active Directory Interoperblity and Metadirectory Overview).


Tools to Know

Active Directory Migration Tool (see Active Directory Migration Tool Overview)

Migrate from Windows NT 4.0 to Windows 2000 with Active Directory


view the Active Directory Schema


move objects within a forest

NTDSUTIL.EXE (see KB# Q255504)

perform many Active Directory administration tasks

REPAdmin (see KB# Q229896)

work with replication between partners

REPLMON (see KB# Q232072)

show the replication topology

Home | Abroad | Academics | Advice | Alumni Associations | Career Watch | Competitive Exams | Career Counseling | Distance Education | Forms | Organisations | Relax Zone | MBA | Engineering | Medical | Humanities | Sciences | Computers ICSE/ISC/CBSE | Scholarship | Loans
 Contact Us | Feedback | Advertise | Disclaimer | Privacy Policy
©2000-2001 All rights reserved "DD Web Vision Private Limited"

Site developed by