ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Directory Services Infrastructure Exam 70-219

ExamInsight For Designing a Microsoft Windows 2000 Directory Services Infrastructure Examination 70-219 CD-ROM practic...

Author: Jeffrey Shapiro

26 downloads 697 Views 5MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

ExamInsight For Designing a Microsoft Windows 2000 Directory Services Infrastructure Examination 70-219

CD-ROM practice exam provided by BeachFrontQuizzer, Inc., Friendswood, Texas

Author Jeffrey Shapiro Published by TotalRecall Publications, Inc. 1103 Middlecreek Friendswood, TX 77546 281-992-3131

NOTE: THIS IS BOOK IS GUARANTEED: See details at www.TotalRecallPress.com

TotalRecall Publications, Inc. This Book is Sponsored by BeachFront Quizzer, Inc. Copyright  2003 by TotalRecall Publications, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the United States Copyright Act of 1976, No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic or mechanical or by photocopying, recording, or otherwise without the prior permission of the publisher. If you are dissatisfied with the products or services provided, please contact Bruce Moran, BeachFront Quizzer, 1103 Middlecreek, Friendswood, TX 77546 (281-992-3131). The views expressed in this book are solely those of the author, and do not represent the views of any other party or parties. Printed in United States of America Printed and bound by Data Duplicators of Houston Texas Printed and bound by Lightning Source, Inc. in the USA and UK ISBN: 1-59095-606-0 UPC: 6-43977-01219-6 The sponsoring editor is Bruce Moran and the production supervisor is Corby R. Tate.

Worldwide eBook distribution by:

This publication is not sponsored by, endorsed by, or affiliated with Microsoft, Inc. The “Windows® 2000, MCSE™, MCSD™, MCSE+I™, MCT™” Microsoft logos are trademarks or registered trademarks of Microsoft, Inc. in the United States and certain other countries. All other trademarks are trademarks of their respective owners. Throughout this book, trademarked names are used. Rather than put a trademark symbol after every occurrence of a trademarked name, we used names in an editorial fashion only and to the benefit of the trademark owner. No intention of infringement on trademarks is intended.

Disclaimer Notice: Judgements as to the suitability of the information herein for purchaser’s purposes are necessarily the purchaser’s responsibility. BeachFront Quizzer, Inc. and BFQ Press extends no warranties, makes no representations, and assumes no responsibility as to the accuracy or suitability of such information for application to the purchaser’s intended purposes or for consequences of its use.

This book is dedicated to the memory of all those who died in the United Air, American Airlines, World Trade Center and Pentagon terrorist attacks on September 11, 2001.

Jeffrey R. Shapiro

ExamInsight™ For Designing a Microsoft® Windows® 2000 Directory Services Infrastructure Examination 70-219 BY Jeffrey R. Shapiro About the Author Jeffrey Shapiro is a well known IT expert and author. He has written several books, which include the widely acclaimed Computer Telephony Strategies, by Hungry Minds, the Windows 2000 Server Bible by Hungry Minds, Inc. and SQL Server 2000: The Complete Reference, by Osborne/McGraw-Hill. Besides writing, Jeffrey has been involved in IT/IS for nearly 15 years; having worked in architecture, MIS, network administration and most recently as a chief technology officer. He is a regular speaker at technology conferences, such as Software Development, Computer Telephony, and Comment. You can reach him by e-mail at [email protected].

About the Book Part of the InsideScoop to IT Certification Series, this new Self Help and Interactive Exam Study Aid with CD-ROM Practice testing material is now available for candidate’s preparing to sit the Microsoft 70-219 Designing a Microsoft Windows 2000 Directory Services Infrastructure Certification. The book covers the information associated with each of the exam topics in detail and includes information found in no other book.

The author has designed and implemented numerous Active Directory services to support both small and large Windows 2000 networks. You will learn how to analyze the enterprise IT infrastructure, its management infrastructure, key management entities; present, future and expected technology situations; current network administration, change control and change management situations, etc.

It will show you the steps to take to assess the impact of Active Directory on your enterprise and introduce you to Windows 2000 concepts, such as Forests and Trees. It will also provide direction on the collateral services that need to be provided to support the Active Directory infrastructure, such as domain controllers, catalog servers, Dynamic DNS servers, dynamic DHCP and so on.

The book also introduces the concept of Organization Units, working with Group Policy Objects and various powerful change-control mechanisms that allow you to map Active Directory infrastructure to management model, administration and control of an enterprises.

Accompanying the book is our exclusive BeachFront Quizzer, Inc. CD-ROM test engine that creates randomized simulated exams drawn from a database of 18 Case Studies with 219+ sample exam questions. Written to mimic the real exam, you also get complete answers and explanations plus a detailed scoring summery showing test results at the end of each practice exam.

A Quick overview of the book chapters: Chapter 1: Analyzing Business Requirements

1

Chapter 2: Analyzing Technical Requirements

57

Chapter 3: Designing a Directory Service Architecture 81 Chapter 4: Designing Service Locations

111

Appendix A:

133

Glossary

181

Index

279

Microsoft 70-219 Practice Exam Offer

294

Table of Contents VII

Table of Contents About the Author ....................................................................................... IV About the Book ........................................................................................... V Introduction...............................................................................................XII Certification Program.............................................................................. XIII Exam Requirements.......................................................................... XIII

Chapter 1: Analyzing Business Requirements

I II III

1

Getting Ready - Questions.............................................................. 1 Getting Ready - Answers................................................................ 2 Introduction.................................................................................................. 3 Technical Terms and Enterprise Analysis Concepts ................................... 4 Analyze Existing and Planned Business Models........................................ 5

Analyze Company Model and Geographical Scope..................................... 5 A Regional Model.................................................................................. 6 A National Model .................................................................................. 7 An International Model.......................................................................... 8 Business Models .......................................................................................... 9 A Subsidiary Model............................................................................... 9 The Branch Office Model .................................................................... 10 Analyze Company Processes ..................................................................... 11 The Information Flow Processes ......................................................... 12 The Communication Flow Processes................................................... 14 The Product and Service Life Cycles................................................... 16 The Decision-Making Processes.......................................................... 17 IV Analyze The Existing and Planned Organizational Structures ................. 21 Understand the Management Model .......................................................... 21 The Company Organization ....................................................................... 21 The Departmental Model ..................................................................... 21 The Project-based Model ..................................................................... 23 The Product/Service-Based Model ...................................................... 25 The Cost-Center Model ....................................................................... 27

VIII Table of Contents: 70-219 Certification

V

Analyzing Business Relationships ............................................................. 27 The Vendor Relationships....................................................................27 The Partner Relationships ....................................................................28 The Customer Relationships ................................................................29 Acquisition Plans........................................................................................ 30 Analyze Factors that Influence Company Strategies ................................ 31

Identify Company Priorities ....................................................................... 32 Identify The Projected Growth and Growth Strategy................................. 32 Identify Relevant Laws and Regulations.................................................... 33 Identify The Company's Tolerance For Risk.............................................. 33 Identify The Total Cost Of Operations....................................................... 34 VI Analyze the Structure of IT Management.................................................. 37 Type Of Administration ............................................................................. 37 The Centralized Management Model ......................................................... 37 The Decentralized Management Model ..................................................... 38 Funding Model ........................................................................................... 38 Outsourcing ................................................................................................ 39 Decision-making Process ........................................................................... 40 Change-management Process..................................................................... 40 VII Chapter 1: Summary .................................................................................. 41 VIII Chapter 1: Post Assessment....................................................................... 42 Case Study1: Rocky Mountain School of Music....................................... 42 Case 1: Questions ....................................................................................... 48

Chapter 2: Analyzing Technical Requirements

I II

57

Getting Ready - Questions ............................................................ 57 Getting Ready - Answers .............................................................. 58 Introduction ................................................................................................ 58 Evaluate the Company's Existing and Planned Technical Environment... 59 Analyze Company Size, User and Resource Distribution .......................... 60 Assess Geographic Location of Worksites and Remote Sites .................... 60 Assess Net Available Bandwidth ............................................................... 60 Analyze Performance Requirements .......................................................... 61 Analyze Data and System Access Patterns................................................. 61 Analyze Network Roles and Responsibilities ............................................ 62 Analyze Security Considerations ............................................................... 62

Table of Contents IX III Analyze the Active Directory .................................................................... 65 On Existing and Planned Technical Environments ............................................ 65 Assess Existing Systems and Applications ................................................ 65 Identify Existing and Planned Upgrades and Rollouts............................... 65 Analyze Technical Support Structure ........................................................ 66 Analyze Existing and Planned Network and Systems Management.......... 66 IV Business Requirements for Client Computer Desktop Management......... 69 Analyze End-User Work Needs ................................................................. 70 Identify Technical Support Needs For End-Users ..................................... 70 Establish The Required Client Computer Environment............................. 71 V Chapter 2: Summary.................................................................................. 72 VI Chapter 2: Post Assessment....................................................................... 73 Case 4: Joe’s Canoe Company................................................................... 73 Case 4: Questions....................................................................................... 75

Chapter 3: Designing a Directory Service Architecture 81

I II

Getting Ready - Questions............................................................ 81 Getting Ready - Answers.............................................................. 82 Introduction................................................................................................ 82 Design an Active Directory Forest and Domain Structure ........................ 83

III

Design A Forest and Schema Structure...................................................... 83 Design A Domain Structure ....................................................................... 85 Analyze and Optimize Trust Relationships................................................ 85 Design An Active Directory Naming Strategy .......................................... 86

Establish the scope of the Active Directory ............................................... 86 Design A Domain Structure ....................................................................... 86 Plan DNS Strategy ..................................................................................... 87 IV Design and Plan the Structure of Organizational Units (OU).................... 88

V

Reflection of the Enterprise ................................................................. 89 Develop An OU Delegation Plan............................................................... 90 Plan Group Policy Object Management..................................................... 90 Plan Policy Management For Client Computers........................................ 91 Plan for the Coexistence of Active Directory Services ............................. 93 Coexistence of Active Directory Services ................................................. 93

X Table of Contents: 70-219 Certification VI

Design an Active Directory site topology.................................................. 94

Design A Replication Strategy ................................................................... 94 Define Site Boundaries............................................................................... 95 VII Design A Schema Modification Policy...................................................... 97 VIII Design Active Directory Implementation Plans ........................................ 99 IX Chapter 3: Summary ................................................................................ 101 X Chapter 3: Post-Assessment..................................................................... 102 Case 8: ProX Auditing Group .................................................................. 102 Case 8: Questions ..................................................................................... 105

Chapter 4: Designing Service Locations

I II

111

Getting Ready - Questions .......................................................... 111 Getting Ready - Answers ............................................................ 112 Introduction .............................................................................................. 112 Design placement of operation masters ................................................... 113

Fault Tolerance......................................................................................... 115 Functionality ............................................................................................ 116 Manageability........................................................................................... 116 III Design the Placement of Global Catalog Servers .................................... 119 IV Design the placement of domain controllers............................................ 120 V Design the placement of DNS servers ..................................................... 123 Plan For Interoperability With The Existing DNS ................................... 123 VI Chapter 4: Summary ................................................................................ 125 VII Chapter 4: Post Assessment..................................................................... 126 Case 15: MyTeapots................................................................................. 126 Case 15 Questions .................................................................................... 128

Table of Contents XI

Appendix A:

133

Chapter 1: Post Assessment Answers .............................................................. 133 Case Study1: Rocky Mountain School of Music .................................... 133 Case 1: Questions: ............................................................................ 139 Chapter 2: Post Assessment Answers .............................................................. 150 Case 4: Joe’s Canoe Company................................................................. 150 Case 4: Questions .............................................................................. 152 Chapter 3: Post Assessment Answers .............................................................. 160 Case 8: ProX Auditing Group .................................................................. 160 Case 8: Questions .............................................................................. 163 Chapter 4: Post Assessment Answers .............................................................. 172 Case 15: MyTeapots................................................................................. 172 Case 15: Questions ............................................................................ 174

Glossary

181

Index

279

Money Back Book Guarantee

293

Microsoft 70-219 Practice Exam Offer

294

XII Introduction

Introduction The purpose of this study guide is to supply you the information required to pass the Windows 2000 70-219 Certification exam. The 70-219 exam is one of the Microsoft Windows 2000 elective exams to a series of certifications that can be acquired. Once you’ve passed this exam, you are considered to be an industry professional having expert knowledge of the Windows 2000 Directory Services Infrastructure product. Do not expect to pass if you are not properly prepared. You should also know to take the exam a second time, you can expect a completely different selection of questions. Microsoft uses a rather large pool from which to randomly select questions. To retain in memory as much of the knowledge in this book for testing purposes you should first read the Objectives to get familiar with the section, answer the Assessment questions to see what areas you are weak in, read each section thoroughly, and answer all of the Review questions correctly before going on to the next section. I also highly recommend you use a non-production Windows 2000 Workstation and Server network to follow along with each section of the book to physically see and perform the actions described. Then use the Beach Front Quizzer testing media to solidify what you have learned and to prepare you for testing and passing the exam.

Certification Program XIII

Certification Program Designing a Microsoft® Windows® 2000 Directory Services Infrastructure Exam 70-219, Designing a Microsoft® Windows® 2000 Directory Services Infrastructure, can be taken as an elective course towards the Microsoft Certified Systems Engineer certification (MCSE). In addition to this elective you are also required to take another elective and five “core” exams before you can be considered to have technically proficient expertise in solution design and implementation.

For more information and an exam listing: http://www.microsoft.com/traincert/mcp/mcp/default.asp 1. NOTE: The exact number of questions, the time allowed and the passing score are constantly changing. Check the Microsoft website for the current information. Exam Requirements There are no prerequisites to begin this area of study. This can, however, be considered a fairly difficult study if these concepts are totally new to you. You may need to supplement this reading with other resources. Although every effort is made to cover all the material you may encounter at exam time, this book does not get into extreme details in areas that most IT professionals should already know.

Analyzing Business Requirements 1

Chapter 1: Analyzing Business Requirements The objective of this chapter is to provide the reader with an understanding of the following: • How the various business models can accommodate Active Directory. • How existing and planned organizational structures facilitate Active Directory. • How various enterprise factors influence company the overall deployment strategy. •

How the existing and planned IT structures facilitate deployment.

•

The priorities to consider.

•

The factors influencing the potential for success and failure

Getting Ready - Questions 1) Name the geographic models of most enterprises? 2) What are the two key business models used by most large companies? 3) What determines that a company operates as a multinational? 4) What is the most popular business model in use today? 5) What would be the first thing you need to research before designing an Active Directory Infrastructure?

2 Chapter 1: 70-219 Certification

Getting Ready - Answers 1) 2) 3) 4) 5)

Regional, National and International Models. Subsidiary Model and Branch Office Models. It’s IT/IS infrastructure extends beyond national borders. Departmental How the enterprise is administered.


I

Introduction

Active Directory is one of the hottest technologies introduced by Microsoft for enterprise networking. It is a bold leap into the realization of the dream of a truly distributed IT/IS environment. Microsoft’s entire product line depends on Active Directory, either directly or indirectly, and no network driven by Windows 2000 can be properly installed and maintained without sufficient understanding of the directory service. The introduction of Active Directory into the enterprise is no simple matter. It requires you to become familiar with the practice of enterprise analysis, change management and administrative practices. This can be daunting for many network administrators who have not had any prior training or college courses in business administration. Business administrators find themselves at a similar disadvantage as network administrators because networking and computer science is not usually something with which they are familiar. Microsoft has thus introduced this first collection of exam objectives to level the playing field and provide network administrators with sufficient understanding of enterprise analysis and business administration to successfully complete and deploy Active Directory in any enterprise or organization. Part I of this guide “Analyze the Existing and Planned Business Models” is designed to test your knowledge in this area. This chapter ensures that you have the necessary background as a network administrator or IT manager to look at a business, and then investigate and determine from your research the technical solutions needed to implement Active Directory.


II Technical Terms and Enterprise Analysis Concepts There are a lot of different terms and acronyms that you will be learning in this book. It must be assumed that you have a certain amount of networking experience or you may find it necessary to supplement this material with some other books on the subject of networks in general. Before we go very far we will need to define some of the common network terms that we will be using often throughout our text. •

•

• •

• •

• •

•

• •

LAN - Local Area Network, defined as a group of computers located in contained geographical area such as an office building or campus that share services, resources and data. WAN - Wide Area Network, defined as a group of computers on LANs located in different geographical area and connected for the purpose of sharing services, resources and data. Usually these utilize remote connectivity methods such as Frame Relay, ATM, ISDN, or leased lines. Bridging - The connecting of two separate network segments so that packets may be transmitted between them. Switching - The connecting of multiple network segments so that packets may be transmitted between any two segments at a particular time. Usually implemented by the segmenting of a network rather than the joining of networks. Routing - Transmitting of packets across segments based on their Network layer address. Protocols - A set of standards or rules that control data transmission and other interactions between network devices, computers and operating systems. Protocols cover such things as framing, transparency, error control, and the line control. Network - A grouping of computers for the purpose of sharing resources. Centralized IT Management – A management philosophy in which IT staff work from a central location and make decisions and support the entire enterprise from this one headquarters. All funding is managed from a single location. Decentralized IT Management – A management philosophy in which IT staff work from a number of regional or local locations, which are responsible for local decisions and support. Local entities usually have their own IT budgets. Change Control/Management – An IT management procedure to manage and control technical changes. Return on Investment or ROI – The time it will take for new technology to pay itself off in reducing costs.


III Analyze Existing and Planned Business Models The practice of enterprise analyses is essentially enterprise “land surveying” and enterprise engineering combined to determine how best a company should be structured, managed, and directed for the good of its health and future. Enterprise analysts examine where a company is today, how it is run and structured and where it might be heading. Many business owners, CEOs and administrators, are often responsible for the downfall of their organizations because their businesses were not being properly administered. And many business failures occur because the CEO and the shareholders are misguided on exactly what their businesses are and how they should be managed. Enterprise analysis helps suggest changes at all levels of the enterprise. The actionable data provided to management by the practice of these individuals is what keeps the business alive.

Analyze Company Model and Geographical Scope Microsoft requires you to assess the business model and geographical scope of an Active Directory design project. These include the following: • • • • •

Regional National International Subsidiary Branch offices

To facilitate your efforts you need to have some models against which to evaluate your own analysis subjects. We talk in terms of the business models when referring to the interrelationship of entities within a business. And we refer to the geographical scope when determining the physical lay of the company, with respect to IT/IS systems and networks.


Let’s kick off with the geographic scope. There are three geographical models that you need to understand before you can begin creating an Active Directory deployment plan: The regional model, national model, and international model.

A Regional Model The regional model for your IT infrastructure is one in which the enterprise network is either contained within a single location, or, at the minimum, over several sites within a city or between closely related cities. A local area network that supports an entity in say Miami, and that connects over a WAN or VPN link to say Tampa, might be considered a network along the regional model of geographic scope, as illustrated in Figure 1-1.

Figure 1.1: A regional network.

Regional networks typically only run over a single vendor’s lines. In Figure 1-1 for example that vendor may be Bellsouth, or Sprint’s Managed Network Services (MNS). Once you leave the region, the traffic will likely transfer to AT&T or Qwest. Figure 1-1 demonstrates the network is local to the state of Florida, but in some cases the regional network may cater to the entire southeast, incorporating states like Georgia and South Carolina.


Another way to qualify a regional network is that it usually does not traverse any timezones. Granted, some countries are smaller that most US states, and thus what is regional to the US might be national to a country like Japan.

A National Model Building out Active Directory along national model lines means that your enterprise is a national company with data centers and branch offices in several states across the USA. If you are based in Europe, for example, your national model company might have offices in London, Paris, and Belfast. National model companies have complex IT/IS infrastructure and complex networking services. Their WANs are usually supported by the long distance network carriers like Sprint and AT&T who specialize in managed network services (MNS). National model networks might also be spread across several times zones in a very large country, like Canada. However, the above definition is open to debate because a national company in Israel might have a network spanning the length of the thin country in one time zone (and yet the entire country fits into south Florida). A national network in the USA, especially for a large company, will also comprise many different types of a carrying technology. Older companies might still have 64K lines into older locations and warehouses. They probably have dial up services to smaller locations. Expect a hodgepodge of different technology such as Frame Relay, Asynchronous Transfer Mode and so on. Some networks might end up in Ethernet hubs while others might end up in Token Ring hubs. Such scenarios can give you a headache managing different routers and switches and so on. In addition to the technology issues you need to prepare for, you also have social, economic and geographic structures in place that differ from region to region. These include divergent economic conditions, climate, terrain, laws and regulations, security issues and so on.


An International Model The International model company extends its IT/IS infrastructure beyond the borders of a single country. This is where IT/IS can become frustratingly complex. Networks typically traverse time zones; areas with different laws, languages and customs, areas with better or poorer telecommunications services, and so on. Puerto Rico can be considered a national company if it swings a WAN between San Juan and an office in Miami. On the other side of the USA a company with offices on the socalled “continental” USA and Hawaii and Guam could be considered national enterprises with international model complexities as illustrated in Figure 1-2:

Figure 1.2: A complex international network. There are two rules of thumb that you can use to decide if you are to build out your Active Directory Services according to international or national models:

1. The laws and regulations in the locations are different and different governments run the territories. 2. Your telecom providers will be un-related in each international territory.


Costs can be devastating when deploying across national boundaries. Telecom costs in Europe or Africa for example, are horrendous in comparison to similar costs in the USA. In many cases you might be working with an office in a country that has no other reason to be in that nation other than the fact that it was much cheaper to setup a network infrastructure in that country, and telecom costs provided substantial savings. Ireland is a good example where cost is the main reason companies have set up there. Not only do you save huge amounts on maintaining an international telecommunications infrastructure, but the government provides a significant tax break and other funding incentives to bring you there.

Business Models Understanding the physical infrastructure is just one side of the equation. No matter whether your company is a regional mom and pop with under 12 people or a multinational employing 60,000 Active Directory deployment cannot be undertaken without first analyzing the business administration processes in place for the enterprise. For any size enterprise you need to understand the following elements of a business: • •

The number of departments and the interrelationships between them. Use of IT infrastructure (such as need for reports, database access, printing resources, email and so on).

The exam will focus on two business models you need to know about: The subsidiary model and the branch office model.

A Subsidiary Model The subsidiary model caters to subsidiary offices of the enterprise. These offices are essentially sites that belong to the owner enterprise but that are not directly controlled by it. The more subsidiaries owed by the parent organization, the more complex and thus daunting the roll out of the AD infrastructure.


For the purpose of your plan you should also include partner companies, close affiliates, franchises, and other business divisions as subsidiary offices (or locations). The subsidiary model can be extremely hard to manage when you have many different IT and IS departments that were once independent and which have recently been acquired. A large national company I worked for from 1988 to 2000 acquired hundreds of subsidiary companies over a period of several years. At one stage we were expected to integrate so many domains that loading the Domain Manager in Windows NT was dreadfully slow. Integrating more than 100 NT domains with the NetWare, UNIX and AS/400 systems in this large company spread over hundreds of subsidiaries was so complex it took years to settle down. Often wars between the different network administrators would break out. There would be constant bickering about “who was trusting who.” I thought that it would be impossible to every get Active Directory to be a pervasive technology in the entire company, let alone just HQ. Eventually the company collapsed under the weight of its own IT mess and filed for bankruptcy.

The Branch Office Model Branch offices are also remotely disbursed sites; however the IT/IS infrastructure is usually easier to work with because branch offices are defined as wholly owned facilities of their parent companies. A CIO or CTO and central IT or MIS department usually presides over the branch offices. For the most part the network and IT facilities for branch offices are created by a central or single IT authority and as such most branch offices run similar or the same technology as their parents. This makes for much smoother AD infrastructure planning and rollout.


Branch offices are usually much simpler than corporate HQs, regional offices and subsidiary offices. Corporate offices usually have the following characteristics: •

• • •

There is usually an established IT facility on site, catering to at least one or several services. (Some small branch offices might have WAN facilities but no servers or any “backoffice” equipment and software. The server room or data center in the corporate office in the central IT facility, or hub, for the entire company. The corporate office caters to the storage of the enterprise data and email data. The corporate offices are permanent facilities. Branch offices tend to open and close a lot more often.

A good example of a company managed under the Branch Office model is your typical insurance company. Many such companies have a small branch office in every town or city. Travel agencies are another example. Both travel agents and insurance agents depend heavily on wide area networks. They tap directly into the data carriers for the insurance and travel industries respectfully. And they all depend heavily on the Internet and email.

Analyze Company Processes In order to be effective in the design of the Active Directory infrastructure Microsoft requires you to understand the complexity of the business’ information systems and enterprise information network. Five key business processes will have a fundamental and wide-ranging influence on the AD design. They are listed as follows: • • • • •

Information Flow Communication Flow Services Products and service life cycles Decision-making


To achieve a good, stable, AD design you need to have more than a cursory understanding of these issues. You will need to interview key personnel and talk to departments and other groups of employees.

The Information Flow Processes The analysis of information flow is the study of how data is processed in your company and how it moves through the enterprise information network. Most companies process similar data. The following list is an example of the key information and data sources you need to consider: • • • • • •

Financial and Accounting Data Sales Data Customer Relationship Data Marketing Data Inventory Files servers, the folders and their contents

In addition you also need to consider other sources or repositories of information. The following lists several of the most important information repositories: • Email • Telecommunications Data • Web site content • Information flow also pertains to the network processes and objects that move across the enterprise. It’s important to consider whose using what software, why they use or need it and how they get access to it. I believe strongly in the listing of key management entities (KMEs) and then putting them down into matrixes.


The Information flow matrix would then look something like Table 1-1.

Users Martial Monitor

Bruce Lee Arts

X

Charm System

X

Princess Diana

X

Frank Sinatra

X

Musical Instruments Charity Cases

Elvis Presley

Jack Lemon

X X

X

Comedy Clubs

X

Table 1-1. An Example Information flow matrix. Keep in mind the research you are doing and the suggestions you will make are aimed at reducing network traffic and bottlenecks around specific applications and data sources. During you investigations, for example, you might find that a number of employees are using Microsoft Access or some outdated databases and that small groups of people are sucking up bandwidth by pulling across huge binaries that hold this data from these databases (old Access MDB files are a good example). Even the older version of SQL Server and other server databases are much more resource intensive than SQL Server 2000 and products that now only transfer text up and down the network, which gets processed as XML.


Many old client applications that cater only to data entry or to pull reports can now be consolidated on Web sites. This allows data to be centralized, secure, and reduces network traffic and security risks by an order of magnitude. At one client we found one worker had managed to grow several Access databases on the servers to hundreds for megabytes each. So we proposed and got the go ahead to copy all the data to one SQL Server instance. During the migration of the data the company had a problem with the employee in charge of these databases. After she was let go she decided to trash the databases and encrypt them somehow. Fortunately we had moved the data the night before and her attempt at sabotage failed.

The Communication Flow Processes Once you have identified the information flow process your next job is to discover how that information is used. That’s what communication flow is all about. Before you move forward be sure you understand the difference between information flow and communication flow. Information flow is the combination of all processors that allows access to data. Communication flow is the combination of all processors that ensures the free flow of information throughout the enterprise. Naturally communication flow ensures that communications that everyone needs access to remains unfettered and that confidential communications remain confidential. The analysis of communication flow processes is achieved in the same fashion as the analyses of information flow processes. You need to ask people how they use the data they have access to; and how it helps them do their jobs and be more inventive and productive. This is critical because if people cannot share ideas easily; that is, they cannot email each other easily, have cyber-meetings, access the company website, and so on, then the enterprise suffers.


The best place to start is also with the KME matrix for communication flow processors. This matrix will take on a form similar to the one shown in the following Table.

Data Sources

Owner

Users

Marketing

Marketing

Marketing, Management

Customers

Sales

Sales, Marketing

Pricing

Accounting

Accounting, Sales

Finance

Finance Dept

Finance Dept

Software

IS

All

Hardware

IT

All

Vendors

Purchasing

Purchasing, Production

Sales,

Table 1-2. KME matrix. Maintaining outdated services and software can seriously impact communication flow. I know that Microsoft loves to hear how research finds that the current versions of Exchange so outdated, outmoded and out of hard disk space that the company has decided to buy into Exchange 2000, and get a whopping server to support it. This means the OS needs to be updated as well, and lots of money needs to be spent on client access licenses. Fact is, as companies grow if their communication technology is not enhanced or upgraded along with the growth of the company the communication services begin to break down. Repair can be extremely costly. At one company I recommended upgrading to Exchange 2000 for 65 employees that also meant an upgrade to Windows 2000. Total cost: about $10,000 with RAID 5, big processor, 1GB RAM and 25 CALS. The company balked at the idea but when presented with the cost of losing the old five-year server they changed their minds.


The Product and Service Life Cycles Service and product life cycles ultimately determine the health of the company. The product life-cycle is how long the company’s products remain income earners in the market place. A good example is that certain software company called Microsoft. Its operating system and application products have life cycles between two and five years. Often the company might think its products have a life cycle of X time but the public has other ideas. Microsoft launches a new version of SQL Server every two years but many enterprises are still on SQL Server 6.5; have missed version 7.0; and might also skip SQL Server 2000, deciding finally to buy what is probably going to be called SQL Server .NET, which is due in 2002. Services also have life cycles. While the difference between products and services is not well defined you could consider services as products that the customer buys but does not actually take possession of. The offering of Internet service by an ISP is a good example of a service that has a fixed life cycle. Very soon ISDN will become an obsolete service while DSL threatens most T1 installations. How is Active Directory design and installation affected by these life cycles? Well you need to consider that every product or service will have IT/IS resources assigned to it. The creation of a book is a good example. The publisher assigns production staff to a book; folders are created to hold the first chapter drafts and so on. Staff members communicate with each other about the book; designers and artists need access to software, printers and production resources and so on. This translates into a constantly changing active directory infrastructure. Every product will result in the creation of new active directory objects and so on.


The bigger the company and the more products and services the bigger Active Directory will be and the more fluid it will be. Such companies might need active directory staff attending to the service every day. IT/IS infrastructure is also subject to product and service life cycles. Software upgrades eventually have to be made and new servers have to be acquired. The rule is that a company should replace or upgrade its IT/IS systems every three to five years. Another company I consulted for kept their current systems going for almost six years. The email server was so full that employees forced the network administrator to allow them to download their email attachments to their hard disks. One day the old server crashed and the entire communications infrastructure was shut down for two weeks, as we rushed into replace the old server with the service we had proposed six months ago.

The Decision-Making Processes Analyzing the decision making process is something that you need to do very early in the whole process. Let’s imagine that you have done all your enterprise analyses and you have remarkably turned in an Active Directory deployment plan that deserves a Pulitzer. But now you need to get the plan approved so that you can request the necessary budget to buy all those hardware and software toys with which to set up your new directory service. If you have not done due-diligence on the decision making process you are going to find your project severely hamstrung. If the acquisition of hardware and software is not entirely possible from the get go, you might need to return to the drawing board and revise the project.


As an outside consultant I would analyze the decision making process at the very beginning. Then determine as part of your design plan who needs to sign off on the various stages and so on. You need to keep yourself covered and ensure that you have secured your billing and the support of the decision-makers before you get too involved. Otherwise you might find yourself with a killer-design that the CTO has decided to kill. Remember AD deployment remains one of the most daunting efforts any company might undertake. Many companies have been known to get involved in the entire AD design process only to suddenly put of the deployment of AD for another year. Remember Windows 2000 was expected to replace Windows NT by mid 2001. It reality, by the end of 2001, it had hardly dented the Windows NT installed base.


Pop Quiz 1.1 (Questions)

1. What is the information flow process? 2. What is the first thing you do in the study of communication flow? 3. What is the most common form of management model? 4. What are cost centers? 5. What is the quickest way to understand the scope of a company and its management model?


Pop Quiz 1.1 (Answers)

1. The flow of through the enterprise information network. 2. Ask people how they use the data they have access to. 3. Departmental. 4. Teams or departments that function as independent financial entities. 5. Study its organization chart.

Notes:


IV Analyze The Existing and Planned Organizational Structures The organizational structures of a company are the processes put in place by management based on each enterprise’s business administration philosophy. Companies are divided up into departments or organizational units (OUs) along business and management process lines. You need to be able to analyze the enterprises along these structures because you will be implementing them in Active Directory. These OUs also include external groups, such as partners, divisions, and customers.

Understand the Management Model The management model is defined as one of the following: • • • •

Departmental Project based Product/Service based Cost center based

I like to refer to the above models as key management models (KMM) and the entities within them as key management entities (KME). Most companies and even non-profit organizations are run along the same KME lines, such as shipping, receiving, accounts payable, marketing, IT and so on. What differs from company to company is how the KMEs interoperate or interrelate.

The Company Organization The best place to start analyzing a company is its organizational chart. You should not find it surprising that many companies and organizations do not have an organizational chart. You will then need to sit down with an executive, do some research and create one as part of your Active Directory design project (as illustrated in Figure 1-3). You should investigate the company’s business plan, how it refers to or names departments (check the internal telephone and extension directory) and so on.

The Departmental Model The departmental model is the most simple to understand and research. You can easily structure the organizational chart, and thus OU structure, along the lines of the department model. The company will comprise various departments, like a department store (such as Sears), each department is further “honeycombed” into its KMEs. You are


likely to be familiar with the department model and creating the organization chart along department lines is not a complex undertaking.

Figure 1.3: The departmental model While the departmental model for a city is an interesting example, most business administrators understand how companies are managed along departmental lines. The following list of departments is typical of many companies: Accounting: Most companies have a single accounting department. However, many larger companies split their departments along lines of responsibility. Accounts payable, accounts receivable, purchasing, costing are typical accounting departments. Often accounting is placed under the main finance department.


Marketing: Marketing is responsible for promoting the products or services of a company, brand identification, advertising budgets and the like. Sales: Considered the most important department, Sales ensures people who respond to marketing are able to buy the company’s products and services. Without sales, there is no income and the company will close down. Production: This department is responsible, along with other departments such as Manufacturing, Research and Development and so on, for designing, creating and distributing the products or services being sold. Smaller departments may be assigned specific roles such as Fulfillment and Transportation and so on.

The Project-based Model The project-based model is a major departure from the department model and can be one of the most daunting to design (see Figure 1-4). Companies that follow this management philosophy are divided up into teams and along project lines. Each project gets its own resources, such as IT staff, accounting, project management and so on. You might think it wasteful to manage a company in this fashion but the model has proven itself over the years to be superior against many project-based companies.


Figure 1.4: The project based model The model is extremely dynamic and many individuals find it more challenging to work on new projects or in new teams than doing the same thing at the same desk year in and year out. However, the fluidity of the model makes it tough to design an Active Directory infrastructure for it. When the projects are completed the teams disband and the members are assigned to new projects.


Nevertheless, should you need to build out an Active Directory infrastructure for a project-based organization you can start with the entities project-based matrix or table that connects or cross-references projects with the people responsible for them. Such a matrix can be adopted from the organization chart, like the one illustrated in Figure 1-4.

The Product/Service-Based Model This model is similar to the Project-based model in terms of being a departure from the common departmental model (see Figure 1-5). Instead of being driven along project lines the business is managed along product and service lines. The product/service (like projects) are given their own management teams which are responsible for their products or services and they are mostly divorced from other product lines and services in the company. Service/product based companies are usually (like the project-based model) large. Think of a large food distribution company that has teams devoted to fast food, hotels, and restaurant chains, food stores and so on. Figure 1-5 illustrates that the business of Canadian Express is providing payments processing services. Larger companies might provide collection services, leasing, financing, trust management and so on.


Figure 1.5: The product/service-based model


The Cost-Center Model The cost-center model can be thought of as the hybrid or combination of the above three models. The only item that sets it apart from the rest, as a separate model is that each project, department or team functions as an independent financial entity with its own economic right. The units in this model usually charge each other for services, which is how the money in the company is distributed. When designing an Active Directory infrastructure you might have to consider how resources within the company are tracked and used. When designing and Active Directory infrastructure for this model you’ll need to consider how to provide facilities for tracking and reporting services that monitor what each department consumes. This may be possible using the standard Active Directory object model, but more than likely you’ll need to integrate AD with SQL Server, Oracle or some other Customer Relationship Management (CRM).

Analyzing Business Relationships Before the advent of the Internet and Active Directory designing a domain structure required little cognizance of the business relationships between the enterprise and its customers and vendors. That has all changed now and you need to not only be aware of these relationships, but also cater to them in your Active Directory design considerations.

The Vendor Relationships The Information Age and the Internet have made it possible to engage in vendor relationships that are a lot more IT interoperative than the catalog-wielding salesperson that would drop by every Thursday at 11 am.


I used to be the network administrator for one of the world’s largest food distributors and most of the business transacted between vendors and the company was fully automated. Our company’s IT department was tasked with the job of “hooking” up with our vendor’s systems. Vendors often required us to provide the necessary support for connecting our networks with theirs, access to each other databases, Websites and so on. Depending on where your company or your client sits in the demand-supply chain you may be in a position of strength to demand that vendors process orders or their shipping needs with your intranet. Or that they also integrate with your particular systems or invest in products that are interoperable or compatible with your systems. Some companies are making significant headway formulating Windows 2000 trust relationships between various companies setting up intraforest domains. If vendors are using Active Directory it is relatively easily provide access to each company’s Active Directory trees. Depending on the sensitivity of the products and services, or the nature of the integration you may need to set up certificate services, so that folders can be accessed through secure share points, Exchange resources, such as shared folders, and SQL Server databases. The more vendors know about and have access to your needs the better they will be able to serve you. Configure Active Directory to meet those needs.

The Partner Relationships Companies need to partner with other companies so that the combination of the resources from both companies presents a stronger resource to capture certain business or opportunity. The partner relationship is also often referred to as the alliance relationship.


A certain Internet access provider might find useful to partner with a long distance carrier, which would give it access to a large installed base of long distance users. Conversely the long distance carrier gets to offer its client base an installed and experienced Internet service provider that already has established a nationwide point-ofpresence network. Again, you will need to investigate how best Windows 2000 and Active Directory make it possible to securely connect your clients systems to its partners. Concentrate on sharing resources. In some situations partners will even require access to printer services and will send reports on your systems to printers on their premises . . . from one side of a country to another.

The Customer Relationships The customer relationship is the most important. Maintaining your customer relationship is regarded by many as the most important function a company can perform. Several years ago a friend of mine sold his small software company for more than $40 million. I was astounded that the buyer thought so highly of the software and wondered why it was not an option for them to spend a $1 Million developing a competitive product. It was not the product that was so valuable but the company customer databases that had been expertly maintained over a decade of being in business. Few of the million or so customers in the database were inactive or unknown entities and at anytime a query was pulled on the data it returned lists of satisfied customers that were open to considering practically any new product from the company. Today many new software products exist in the customer relationship management niche (CRM), but CRM depends on Active Directory in terms the level and depth of customer contact that takes place before, during and especially after the sale between customer and company has been consummated. Take a company that is increasing its exposure to the customer base over the Internet.


This will require reviewing changes in security infrastructure, granting users access to Web-based services and information, online ordering, service and repair issues and so on. Any online or e-commerce application an enterprise engages in is going to require specific Active Directory support. Customer relationship technology should provide a “360-degree view of the customer.” This means that all forms and manner of technology are used to service the customer. These include computer telephony, the World Wide Web, email, voice mail, blended media streams and so on. There are many help desk software packages on the market today. Many of them will use the back end server facilities like Exchange, Internet Information Server and SQL Server to provide access to data.

Acquisition Plans It is well known throughout the IT industry that nothing can sink a company faster than two or more IT departments that come together through merger or acquisition and find cannot get along, cannot interoperate or integrate their systems. When designing an Active Directory infrastructure you need to be cognizant of existing and future acquisition or merger plans and designs accordingly. Depending on the company plans and the nature of the merger you might be able to join another forest and connect both companies forest to forest. Or you might have to create a new root domain and attach both companies to the single root domain. You might have to simply accommodate the new members coming over from the acquired company and add them to a new or existing Active Directory domain structure


V Analyze Factors that Influence Company Strategies This is one of the most important considerations before you do any work on your Active Directory design project. You might think that because the CIO or IT manager called you that the company is ready to roll over and give you the go to start designing. But companies have many different priorities and you need to understand how each one of these priorities will affect your project. Companies have technology adoption plans, new business plans, new hiring plans, they might be moving to new offices, have budgetary constraints and so on. Even what seems to be the most trivial political issue can upset the project. Some time ago I embarked on a project to install voice mail in a company but it never had the blessing of the CEO. With his continuing hatred of voice mail no-one ever took the time to use the system properly the IT manager eventually cancelled the project. In another case one of the world’s largest insurance companies delayed buying into email for nearly a decade after it was already a mainstream communications medium. Why? The people that ran the company found it a waste of time because they could not get the idea of human assistants taking notes and typing up memos to hand out. There are many other issues you need to consider before the design project moves into high gear, or gets the budget. Microsoft requires you to identify the following factors that might influence the successful design and deployment: • • • • •

Identify the company’s priorities. Identify the projected growth and growth strategy. Identify relevant laws and regulations. Identify the company's tolerance for risk. Identify the total cost of operations.


Identify Company Priorities Sales people have probably heard the following line a few thousand times: “Make sure you are dealing with the people who are authorized to make decisions.” Often we IT people forget that unless we are dealing with people in the know we run the risk of failure at every step. More important than any of the above factors we have already covered is the research you must undertake to discover the company priorities. Microsoft places a lot of importance on this issues and test for your cognizance of it. It should be something you do from the beginning. While companies may be managed and administered along similar lines no two companies are the same. If you are consulting for a small company, make sure you understand the priorities of the owners and their management teams. If you are dealing with a large company get to know what issues are being dealt with by the company and if you find information that will impact your project pursue the people in the know for due diligence on the issues and so on. Astute research will let you make important decisions very early, sometime even before engage the enterprise. There would be no point in expecting Sun, for example, of adopting any new Microsoft technology in the very near future.

Identify The Projected Growth and Growth Strategy It is critical to identify and understand where a company has come from and where it might be going. If the company is public follow the performance of the stock on the NASDAQ or other appropriate trading post. If the stock is performing well you will be at less risk to start pursuing your Active Directory design project. From the reports of analysts and other financial managers you’ll be able to gauge projected growth, and speed of growth, and accommodate the growth into the project. If the company stock has plummeted 500% in five days, it’s unlikely you will get the approval for Active Directory in the morning. Or you’ll at least know that the deployment will probably not be as aggressive as you had wanted or feared.


Identify Relevant Laws and Regulations Knowing the laws and regulations that affect how a company does business is another important area. In South Africa for examples there are so many laws governing what you can and cannot connect to or install on your computer that at any given time you make be doing something illegal. While not as dictatorial as it was under the years of apartheid when installing a modem could put you in jail, you still cannot simply import any old device or software into South Africa expect to install it without regard for some regulation. Other countries and territories can be even more problematic. You may, for example, not be able to replicate Active Directories sites with strong IP encryption traffic. And you may have to install a DC server on a shop floor only to find that computers are forbidden in the environment.

Identify The Company's Tolerance For Risk Companies and organizations are reflections of the people that run them and their shareholders . . . mostly they are what their CEOs are. Some time back I sold technology to a company that looked at anything that could increase the productivity in the enterprise and empower its employees, no matter where it came from. The company even bought software that would only run on IBM OS/2, even though buying IBM was against everything the company stood for. My customer went onto become the leading technology supplier in the world. Its name is Microsoft. The company’s tolerance for risk does not mean you can go in thinking that you can simply upgrade from Windows NT or Netware and if it goes all wrong that it will not affect operations. Installing active directory for many enterprises and their IT managers is associated with skydiving. If at first you don’t succeed go and do something else.


Identify The Total Cost Of Operations Microsoft requires you to have a little business sense when planning an Active Directory proposal or developing a project plan. Estimating costs takes a little practice and some common sense. There is not point proposing a project that is so large the company the company has to lay off half its work force to pay for it. It might come as a surprise to you but there are also many, many companies that are getting along just fine without Active Directory. On the other hand if the company finds that moving to Exchange 2000 will empower certain management entities to such an extent that it would pay for itself in say six months then you will have an Active Directory design in your future to support the Exchange 2000 project. Does this mean that you should put all the NT servers on E-Bay? No, assess what needs be done to achieve the important objectives and show how the AD project justifies the costs. I have a philosophy I developed selling technology to many companies, including giants like Microsoft, KLM, and several governments: You cannot make the million dollar deal until you first make the hundred dollar deal (most of the time). If all that can be justified now is to install Active Directory to support a small department or a specialized subsidiary then that’s the job to pursue. Later you can go after the rest of the company. A number of years ago I sold a small voice mail system to a tiny family owned Inn on a lake. A few months later the now acquired Inn’s manager called me up to say his new boss was impressed with the system and wanted a quote for the rest of Marriot’s properties.



1. What do we mean by low risk tolerance to AD integration? 2. What is the number 1 requirement for identifying company priorities? 3. What do we mean by the phrase “IT is centralized.” 4. What does the acronym ROI stand for? 5. What does ROI mean?



1. A company whose operations may adversely suffer from potential down-time. 2. Talk to the decision makers in the enterprise? 3. A single IT/IS division is responsible for the company and all its branches and subsidiaries. 4. Return on Investment. 5. ROI is paying for the cost of a technology with the money saved by using it.

Notes:


VI

Analyze the Structure of IT Management

In early 1999 I was assigned the task of upgrading about 40 data centers from Netware to Windows NT. The data centers belonged to a subsidiary of a multinational and I was told that I had to present the plan to the VP of IT for the entire company. When I asked whom this person might be I was told that he was the CEO of another IT consulting company. This company was in no way related to the multinational I worked for. But their CEO was appointed the VP of IT for a reason I still can’t figure out. Nowadays any IT project, not just Active Directory, has me wondering how the IT department is managed, who’s the CIO or CTO, how many IT support people they have and how much do they think they know. When it comes to IT projects, no matter you are an employee or an independent contractor or consultant take heed of those famous Forest Gump words “you never know what ya gonna get.”

Type Of Administration Microsoft requires you to be able to properly analyze the structure of the IT management of the organization or enterprise. There are some formal definitions that help us label the type of IT management philosophy in place or the structure of IT supporting the enterprise. They are listed as follows: • • • • • •

The centralized management model. The decentralized management model. The funding model. Outsourcing. Decision-making process. Change-management process

The Centralized Management Model The IT/IS resources of a company are essentially managed according to two models, centralized and decentralized. The centralized model implies that all IT resources are managed from a central IT department.


This model heralds from the days of the mainframe era, before client/server when IBM ruled supreme and the only companies that could afford computers were large, listed or multi-national. Today it is still a model of choice for many companies despite the proliferation of server technology throughout the enterprise. A large company might maintain central IT department from which all administration is performed. It is entirely possible and feasible to stage all telecommunications, data and other IT needs centrally and locate regional servers at branch offices and subsidiaries without there being any expertise at those sites. The administrators at HQ control everything, but if hardware needs upgrading or software needs installing a technical support person will usually go out to the location.

The Decentralized Management Model The decentralized management model is just the opposite of the centralized. In this model each key management entity is responsible for its own IT administration. However the lines along the KME differ for IT administration from organization to organization. Some companies may be more decentralized than others and the level of control usually starts with who controls budget. For example, they may have their own servers and be responsible for managing their little subnets, but IT budgets and purchasing is often a centralized function. A good example of decentralized model of administration in the IT support area is along Exchange Server administration. Some companies send an exchange server to each location that can be described or managed as a sit or subnet. Others maintain a server farm for everyone’s email at one location. Active directory can be partitioned along administrative lines using Organizational Units (OUs).

Funding Model Understanding the funding model is as crucial as knowing who makes the decisions for the enterprise. It is one thing getting approval for your project but until the checks roll off the check printer the funding model does not exist.


Many companies preserve their cash and lease equipment; others have sufficient funding in the bank to buy equipment directly. You need to be sure the funds are secure for the project you have been approved to fund and you need to make sure that you have all the funds and that you will not get cut off towards the end. Two recent projects come to find in which the change in funding status adversely affected things. One company, a multinational, approved and actually provided 99% of the million dollar budget approved for upgrading the data centers. The last $30,000 software that needed to be purchased had to be postponed because the company declared chapter 11. That last bit of software was the critical disaster recovery and backup software needed for about 24 locations. The company continued operations for almost another year sans the equipment. Recently I got the go ahead, after considerable effort, to set up an extensive Active Directory infrastructure for a company. All the equipment and software was going to be leased. About a week before signing (and we delayed signing the lease because the CEO went overseas) the Internet bubble burst and the leasing company decided to call for personal guarantees. The project was cancelled.

Outsourcing There are some IT managers that flatly rejected outsourcing in all its various shapes and sizes. But each company has its own case for or against outsourcing. It does not matter whether you work for the company or are trying to get a toe in the door, as a consultant understands the policies in place regarding outsourcing. The chief reason people outsource is that they only need such expertise for a short time and outsourcing obviates the need to hire directly. Many traditional recruiters have opened up new business for themselves because they can place a consultant at a company for a three to six month’s contract. When the project is done the contractor moves on.


Decision-making Process As I mentioned earlier the closer you are to the person making the decisions the closer you are to getting the project approved or making the sale. Also be sure that you have the correct audience when you present the benefits and requirements to your people. There is nothing more frustrating that to go through an extensive adoption and presentation process only to discover that someone else actually makes the decision and that person will not sign off until he or she gets the same dog and pony show.

Change-management Process Change management is one of the most important processes in any company. The problem here is that few companies actually have a change management process or even know what it is. Some big companies have very poorly defined change management processes. By doing due diligence on the change management process you need to discover what processes and policies are in place to manage change in the company. Specifically you need to know who is in charge of change management, is there a formal change management board, and who is the chairperson, how often does the change management board sit to review proposals and what is the process for you to submit your change management requirements to this board.


VII

Chapter 1: Summary

This chapter kicked us off with enterprise analysis and demonstrated the type of concerns you will face from management. The chapter also illustrated the role that IT has to play in analyzing business requirements. You are required to demonstrate knowledge of modern business models and the differences between centralized and decentralized IT management. You are also expected to understand what return on investment is all about (ROI) and how to calculate it. Not only will you have to justify why management should move to Windows 2000, but also the ROI an investment in Active Directory would bring. You are also expected to understand the pros and cons of outsourcing; change management and change control and so on.


VIII Chapter 1: Post Assessment Case Study1: Rocky Mountain School of Music You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by the Rocky Mountain School of Music to design the Active Directory for the entire school.

School Mission The mission of the Rocky Mountain School of Music is to advance the art of music and its related disciplines. It seeks to educate students in the various fields of the profession and to promote an understanding of music. The School endeavors to preserve diverse repertories and cultural traditions while also creating opportunities for artistic, intellectual, and scholarly innovation in the realm of music. The School is dedicated to excellence in research, performance, composition, and teacher education, undertaken in a spirit of collaboration among its own constituents.

School Background The Rocky Mountain School of Music is consistently ranked among the strongest professional music schools in Canada. It attracts outstanding students and faculty in composition-theory, music education, musicology, and performance. The school is large enough to provide a wide variety of experience for students seeking degrees in music. At the same time, the atmosphere of a smaller school prevails with emphasis on individualized instruction in performance, comparatively small classes, and a faculty and staff that cares about its students. As a significant cultural resource, the School of Music serves the musical needs of the community, the region, the state, and the nation, and its influence is felt on an international level as well.


One measure of a university's quality is the success of its graduates. Among the more than 10,000 alumni of the School of Music are 5 Pulitzer Prize winners in composition; members of major symphony orchestras, opera companies, jazz ensembles, and professional choral groups; and faculty members at many of the nation's most prestigious colleges and universities. Music education graduates direct some of the finest elementary and secondary music programs throughout Canada as well as in foreign countries. The school is proud of its record in assisting qualified graduates to assume leadership roles in the music profession through career counseling and professional advising.

Programs Offered The Rocky Mountain School of Music has 2 degree programs available:

Bachelor of Music Specializations available in: • • • •

Applied Music Composition-Theory Music History Open Studies

Bachelor of Music Education Specializations available in: • • •

Choral Music General Music Instrumental Music


Divisions The school currently has the following divisions: • • • • • • • • • • • • •

Brass Composition-Theory Music Education Musicology String Woodwind Accompanying Jazz Organ Percussion Piano Piano Pedagogy Voice Divisions

Faculties The strength of the school lies in its distinguished and internationally known faculty, who are committed to teaching and at the same time maintain active performance schedules, contribute substantially to research in all areas of music. The school is justifiably proud of the excellent facilities, nationally recognized degree programs, and enjoyable campus life, but these are secondary considerations when compared to the quality education provided by the faculty for the students. The professional relationship between students and faculty is based upon mutual respect and a common interest in the quest for musical knowledge and artistry. There are nearly 100 full-time faculty members in music, which provides a student to faculty ratio of approximately 20 to 1. The wealth of experience the faculties bring to the classroom, studio, concert hall, or research facility, is supported by their continuous commitment to excellence.


Buildings and Facilities Currently the school has the following buildings: • • • • • • • •

Rocky Band Building Computer-Assisted Music Lab Music Project Lab Experimental Music Lab Performing Arts Lab Music Library Building School of Piano Building Jeff Memorial Hall

IT Infrastructure There are currently 2 IT staffs in the school. The existing network is purely DOS-based with Netware 3.1 as the network OS. No special feature has been implemented. The registration office currently runs a 386PC with dBase3+ as the school registration system. The staffs generally use the old Geoworks software for designing flyers and other publications. Due to the availability of funding last year, the school managed to install a 100BaseFX network across the campus. In terms of bandwidth, the school has more than enough bandwidth for use.

Levels of Skills in IT According to the IT Supervisor of the school, their students are very positive towards the use of IT in their learning process. Some students already uses computer to do the music composition. Others have uses notebooks to take notes during lectures.


Admin Structure The school has a Board of Directors for supervising the overall operations. The school president reports directly to the board. There are 2 vice presidents sharing the workload of administering the divisions of the school, as demonstrated in Figure 1-6.

Figure 1.6: Organizational chart of the school and its Board of Directors.


Risk Management In the past the school was once in difficulties due to a problem in funding. There had been a situation where the salaries of the teachers were not distributed on time, leading to a strike and a delay in the class progresses. Although this situation is not likely to happen again, the management insists on carry out a risk management process. It has been suggested that Microsoft’s Risk Management process is the ideal methodology to use.

Future Vision The school plans to open a branch in Austin, Texas. The management is willing to pay for a high speed 128K dedicated connection between the main campus and the new location. This new location will mainly be used to teach Music History and Music Appreciation.

The school will also open up a branch in London. This new location will use dial up modem to connect to the main office. This new location will mainly be a marketing office to promote the school’s “Student Exchange” program.


Case 1: Questions 1. What type of business model does the school have? A. Hierarchical B. Flat C. Tree D. No model

2. As part of your initial work of analyzing the business model, you are looking at how many servers are in the sites of the school as well as what OS and applications are running. What kind of structure are you trying to analyze? A. Organizational B. FDemographical C. TGeographical D. IT

3. The staffs in the school frequently have to rotate their duties and work in different divisions. You need to build the AD structure so that the directory can reflect the organization structure of the school and at the same time making administration as easy as possible. Which of the following will you prefer? A. Deploy OUs for the different divisions B. FDeploy multi domains for the different divisions C. TDeploy Win2K for the different divisions D. Deploy Multiple Master domain for the different divisions


4. Which of the following activities are parts of the risk management process’s risk identification phrase (Choose all that apply)? A. Identifying the source of risk B. FDetermining the risk condition C. TIdentifying the possible consequence D. Analyzing risk impact

5. Which of the following activities are parts of the risk management process’s risk analysis phrase (Choose all that apply)? A. Identifying the source of risk B. FDetermining the risk condition C. TAnalyzing risk exposure D. Analyzing risk probability E. Analyzing risk impact

6. You are studying the previous case of the school regarding the incident that the teachers went on strike. You tried to learn from the case to determine that, if, the same thing happen again, what the impact will be towards your project schedule. What type of analysis is this? A. Risk Probability B. FRisk Impact C. TRisk Exposure D. Risk Projection E. Risk Management


7. You are evaluating the risks involved in upgrading the school network to Win2K. You come up with a risk probability of 0%. What dos this mean? A. There is no risk at all B. FThere is a high risk C. TThere is already an actual problem D. Not enough information to determine the risk level

8. You are to carry out a Risk Action Planning for the school. What are valid key areas to address (Choose all that apply)? A. Research B. FAcceptance C. TManagement D. Avoidance

9. You are to carry out a Risk Analysis for the school. How do you determine the school’s risk exposure? A. Risk probability X Risk impact B. FRisk probability X Risk ratio C. TRisk Ratio X Risk impact D. Risk Consequence X Risk impact


10. You need to determine the baseline of upgrading the school network. Which of the following are valid metrics to use? A. Comparison with other schools B. FUS Accounting standard on the assets cost C. TTrue cost of assets D. Industry appointed index E. Industry average

11. You need to determine the unbudgeted cost used for calculating the TCO. Which one is a valid unbudgeted cost? A. Hardware B. FSoftware C. TDowntime D. Training E. Management

12. You need to determine the budgeted cost used for calculating the TCO. What are the valid budgeted costs? A. Hardware B. FUser C. TDowntime D. Management


13. Regarding the school’s expansion plan into Texas, what additional element will you include in calculating the TCO related to the IT project of the school? A. Cost of dedicated line B. FCost of routers C. TCost of financing D. Additional cost of management time to supervise the new location

14. You are worrying that the help desk support cost can be sky high once everyone in the school is equipped with the latest software and application. Which of the following can be used to reduce the support cost (Choose all that apply)? A. Use a single OS throughout the school B. Use a single application throughout the school C. Restrict users from changing their desktops D. Disallow resource sharing in the network

15. You need to plan for reducing the cost of software distribution in the school. At the same time you want to give the users flexibility to de-install some software. How should you do this? A. Push the applications B. FShare the applications C. TPublish the applications D. Mirror the applications


16. The management of the school confirms that the London office will be operational in 3 months time. They will ship a fully configured W2K server to that location, since there will be no IT staff in there at all. What is the legal concern in this case? A. Sales tax B. FTransport tariff C. TEncryption D. CPU Speed

17. According to your knowledge, which of the following encryption standards can be used in the London office (Choose all that apply)? A. MPPE Standard B. FMPPE Strong C. TIPSec Des D. IPSec 3Des


18. According to your knowledge, which of the following encryption standards can be used in the school’s US main campus (Choose all that apply)? A. MPPE Standard B. FMPPE Strong C. TIPSec Des D. IPSec 3Des

19. You are asked to give advice on which browser to use in the London office. The school’s web site will be redesigned to include new features like DHTML, Javascript and ASP. You want to give them maximum performance, and at the same time to be sure that the browser they use will not consume too much of the computer resources, as the London office will only use Celeron 600mhz PCs together with 128M RAM as clients. Which browser will you suggest? A. IE 2.01 B. FIE 3.0 C. TIE 5 128bit D. IE 5 Standard


20. According to your knowledge, which of the following encryption standards can be used for maximum protection on the connection between the school’s US main campus and it’s potential Texas location (Choose all that apply)? A. MPPE Standard B. FMPPE Strong C. TIPSec Des D. IPSec 3Des

Notes:

Analyzing Technical Requirements 57

Chapter 2: Analyzing Technical Requirements The objective of this chapter is to provide the reader with an understanding of the following: • How to analyze the enterprise’s existing and planned technical environment • How to analyze the Impact of Active Directory on the existing and planned technical environment • How to analyze the business requirements for client computer desktop management

Getting Ready - Questions 1) Who is the best person to talk to regarding the existing technical infrastructure of a large company? 2) What are the first steps to take to evaluate network usage? 3) When analyzing a wide area network what should you note, besides hardware? 4) If a company says it has a T1 line, how do you know if it is too much or too little bandwidth? 5) How can a company’s technical support help desk help you understand the technical infrastructure of the company and its communication and information flow processes?


Getting Ready - Answers 1) The network manager. The IT manager or CTO is usually responsible for budget and staffing. 2) Discover what processes are putting traffic on the network. 3) The WAN technology used, such as DSL, Frame Relay, ATM and so on. 4) You don’t know. You need to measure bandwidth at peak and off-peak hours, as well as after-hours and weekends to determine if a T1 is too much or too little for a company. 5) Studying the help desk ticket descriptions tells you the type and frequency of problems experienced

I

Introduction

The proceeding chapter covered the processes and steps required for analyzing the business requirements. Now we move onto analyzing the technical environment. This can be as time consuming and difficult for project managers and Active Directory planners as the analysis of the business. Here you need to analyze the existing IT +infrastructure, such as operating systems, hardware, servers, workstations, software used and so on. The analysis needs to be end-to-end and comprehensive starting with what’s cooking in the data center or server room to what’s installed on each user’s desktop.


II Evaluate the Company's Existing and Planned Technical Environment Unless you are very familiar with companies existing and planned technical environment you still have quite a bit or research to the do. It is very important to not only have an understanding of what the existing environment is or what it is about but to become, but it is critical to fully document this information in an accessible form. The following list provides some guidelines to what you need to be looking into and documenting: • • • • • • • • • • •

IP Address Space. IP Address delegation and management (DHCP or static assignment). IP Address-Internet Host Name Resolution (DNS) IP Address-NETBIOS Name Resolution (WINS) Operating Systems in use (servers, workstations and other devices on the network). Software Change Control technology (installation, licensing, distribution, and so on). Server applications (accounting, database, communications, workflow, and so on). Client or workstation applications (Microsoft Office, database clients, email clients, and so on). Technical support and help desk. Trouble-ticket processing procedures. Hardware support.

You will need to review the above technologies and procedures for what is currently in place and what the company has planned down the road. For example you need to be discovering and documenting facts like the network not only currently supports Windows NT servers but VAX systems, which are going to be replaced by AS/400 servers.


Analyze Company Size, User and Resource Distribution You need to analyze the resource allocation and distribution at every company site. The facts you need research and document include the following: • • • • •

Number of users. Number of servers Number of workstations (client computers). The configuration of the above hardware. Networking resources and services in place and utilized (both LAN and WAN).

Assess Geographic Location of Worksites and Remote Sites Analyze and document the connectivity between each site (geographical location) under the control of the company. Determine what telecommunications technology is in place (DSL, T1, Frame Relay, dial-up and so on). Also determine the need for upgrading the technology for permanent connections. When you are ready to plan intra-site replication between Active Directory domain controllers having this information at hand will be invaluable. It needs to be incorporated into the project plan form the very outset.

Assess Net Available Bandwidth While at each location analyze the net available bandwidth at each location. Measure the actual bandwidth available to the location. Do not just take for granted that a T1 connection at one site is automatically providing the full 1.5 mbit bandwidth. Find out the actual net bandwidth and what’s available. If the a hundred connections are currently connecting over the T1 as a massive show of wasted connections to a remote domain controller then the available bandwidth probably all gone.

Analyzing Technical Requirements 61 • •

•

Measure your bandwidth at peak and off-peak hours, as well as after-hours and weekends. Discover exactly what processes and resources are using the bandwidth. If a site is backing up to a tape server at a remote location it will not only take ages to perform the back-up it will also consume all available bit space available on the network. Plot the peak and off-peak hours

Analyze Performance Requirements Understand the need for performance from the site staff and IT personnel. If people complain that their Internet connections are down a lot or they cannot connect across the network to remote resources, such as database servers and file servers then you need to find out the cause of these problems and factor them in the Active Directory design. • • • • •

Analyze and research the following devices and technology that influence performance on the network: Network topology equipment such as routers, switches, hubs, bridges and so on. Address translation software, VPN software, and so on. Reticulation and wiring topology. Network technology such as Ethernet, Token Ring, Fast Ethernet, FDDI, 10BaseT, 100BaseT, and so on.

Understand exactly why certain network performance requires are what they. A good example is remote network printing. Often a user at a site needs extensive reports printed out locally to a printer in his or her office . . . from an AS/400 or Windows 2000 Server half the world away in the corporate data center.

Analyze Data and System Access Patterns This section requires you to perform specific analysis into the network infrastructure. The best way to approach this is to knock up spreadsheets that list the groups of users (departments or teams) and then list approximate levels of usage and usage patterns.


First, let’s look at data access: The columns in your spreadsheet should include the name of each site, and the rows should be the list of groups. At the intersection of each column and row you need to insert the level of data access required over the WAN links. Next you need to determine the amount of traffic generated by the data and system access across each WAN link. Here again you can create a small spreadsheet and include a column where you can record the traffic over each link. You don’t need to be more specific than including M, H, and L for the traffic levels.

Analyze Network Roles and Responsibilities Every organization maintains specific levels of expertise for IT/IS resources. You need to determine what they are and where they are. You will need to determine who the gurus are, the IT professionals and consultants, departmental network administrators, PC or workstation support, application support, printing support, WAN support, enterprise network administrators, and so on.

Analyze Security Considerations Security is an essential element of any network. All networks and IT infrastructures should be secure; however, some systems require peculiar and often complex security considerations. Heterogeneous networks that deploy mainframe systems, UNIX servers, or complex login scenarios may have specific requirements. You also need to consider server security requirements, vulnerability of the database servers, web servers, mail servers, files servers, remote access servers and so on.



1. What does ATM stand for? 2. What is a homogenous IT infrastructure? 3. Why is it so important to asses available bandwidth between locations? 4. What is a VPN? 5. What software is used to secure access to exposed IT resources behind network segments?



1. Asynchronous Transfer Mode. 2. It is an infrastructure which deploys hardware or software from a single vendor. 3. Replication services need to be planned around the existing and planned wide area network infrastructure? 4. A virtual private network? 5. A firewall.

Notes:


III Analyze the Active Directory On Existing and Planned Technical Environments This section deals with the impact Active Directory will have on the existing environment and the environment that will materialize down the road. Specifically we need to consider the following areas: • • • •

Assess existing systems and applications. Identify existing and planned upgrades and rollouts. Analyze technical support structure. Analyze existing and planned network and systems management.

Assess Existing Systems and Applications You should research all the systems and applications that are in use in the enterprise and document how they are being used. Active Directory deployment will impact Microsoft applications and applications supplied and maintained by independent software vendors and manufacturers. Systems such as SQL Server and Exchange Server will be impacted by a move to Active Directory. Also review how the applications and systems are published and made accessible to the users, how folders and sharepoints fit into the picture, printing services, access to disk space and so on. Review how users access systems and services across the WANs and any intra-domain or trust situations.

Identify Existing and Planned Upgrades and Rollouts Know what upgrades and rollouts are being planned. The last thing you need is to propose a new Active Directory deployment just when the Notes team decides to upgrade the Notes servers and all the clients. Either propose to finish the upgrades and rollouts before the new AD deployment, or arrange to have them put off until after the deployment. Either way you should have a clean and stable environment before considering the new deployment and at all costs avoid any concurrent deployment effort.


Analyze Technical Support Structure This technical support structure refers to Windows 2000 services and the earlier operating systems. Make sure you have the technical skills and resources to support the new services, support existing services during the change, and so on. It is also a good idea to roll out pilot systems to the technical support and IT/IS teams first.

Analyze Existing and Planned Network and Systems Management The administration of Windows 2000 is very different from the administration of Windows NT, NetWare and other network operating systems. Take stock of what in involved in the process of managing your systems now and note how that may change down the road when Active Directory and Windows 2000 arrives on the scene. For example, Windows NT networks that used TCP/IP extensively required a lot of hands on WINS administration. Today that has changed to either require both WINS and DNS or at least DNS. DNS was not a factor on a Windows NT network. It was a service that was left to the ISP to provide, but Windows 2000 depends on DNS like fish depend on water.



1. Why is it important to analyze data access traffic and patterns in the existing infrastructure? Is it to a) plan server placement; b)design or review the WAN topology; c) design AD site boundaries d) review data replication strategy; or e) all of these answers. 2. Why is it so critical to analyze performance? 3. Name three of the most important considerations in network design? 4. What are the first areas you should research when analyzing the technical circumstances of network environment? 5. If you find a WAN link between network segments is bottlenecked what’s the first action you should take? Is it a)Immediately upgrade the link and throw more bandwidth at it; or b) find out what’s causing the degradation of the service.


Pop Quiz 2.2 Answers

1. The answer is e) all of the answers. 2. You need to determine the expectations and experience of users because any deterioration in the user experience can cause the most headaches for any Active Directory implementation. 3. Reliability, security, and performance. 4. Number of users, number of workstations, number of servers, number of network peripherals (such as printers). 5. The answer is b) find out what’s causing the problem to correctly determine how to deal with it.

Notes:


IV Business Requirements for Client Computer Desktop Management Windows 2000 provides new and more powerful ability to centrally manage client desktops and the client-computing environment. This power comes directly from Active Directory’s OU architecture in which group policy objects (GPOs) are created and maintained. Group policy exerts management control over the accounts in organizational units, however, group policy in hierarchical. It starts with the GPOs created at the site level, the GPOs at the domain level and then the GPOs at OU levels, as illustrated in Figure 2-1.

Figure 2.1: console.

The GPO structure in the Active Directory Users and Computers

Group policy is a change management tool (one of the finest around) and as long as the Windows client environment is Windows 2000 Professional or higher, you have a very power means of control facilities such as application access, security, desktop, communications and so forth.


You can prevent clients from loading unauthorized software, changing the look and feel of their desktops, what they download from the Internet and the sites they are allowed to visit and so on. Of particular importance is the ability to redirect folders and thus ensure that all client documents, drawings and other business files are redirected to a network server folder where you can be sure they are included in back up and disaster recovery procedures. This lessens the administrative burdens on network administrators by an order of magnitude.

Analyze End-User Work Needs Every user is unique, but their habits can be grouped together to determine usage patterns. For starters every user has a particular idea about how he or she wants to organize the desktop, what wall paper to use, the size and location of icons, and so on. Some groups of users only need word processing applications, others need access to spread sheet software and communications software such as email and so on. Other users do advanced computer work, such as software development, desktop publishing, graphic design and so on.

Identify Technical Support Needs For End-Users Not all users need the same level of technical support. In my experience the savvy users end up being the users that require the most technical support, because they are always getting themselves into trouble. Like the proverbial rope they use to hang themselves these users will always try and reconfigure their machines on their own, they will try download software without authorization and the administrator or application support person ends up having to undo the mess they have created. Other power user may not be as time consuming but work with advanced software systems that require regular standby support from technical support or consultants


Establish The Required Client Computer Environment It is very possible and often desirable not to deploy personal computers to users but thin clients, Windows-based terminals (WBTs), pocket PCs or other hand-held devices and so on. You also need to consider that very few users actually need the powerful desktop computers. It is even possible with Windows 2000 to deploy processor, memory and disk intensive applications (such as graphics work, DTP and software development) on servers and provide the access via terminal services.


V

Chapter 2: Summary

This chapter investigated analyzing the impact of AD on the existing and planned technical environments. Active Directory eases the management burden through sophisticated policy management technology that controls the client/desktop environments through the use of group policy objects (GPOs) that are stored in Active Directory. You’ll be expected to know the types of GPOs that can be managed from the Active Directory Users and Computers console and how policy is processed.


VI

Chapter 2: Post Assessment Case 4: Joe’s Canoe Company

You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by Joe’s Canoe Company to design the Active Directory for the entire company.

Background Joe’s Canoe Company is a company that produces canoes of different kinds. Most of its customers are in the Vancouver area. Since 1950 Joe has been designing and manufacturing Cedar Canvas Canoes. Through the years, as materials advanced, Joe began building Fiberglass, Kevlar and high tech Carbon Fiber Canoes. Joe's Master builders have 5 decades of canoe design and building experience, in all types, from the classic Cedarstrip to the family cottage canoe & the most advanced Carbon Fiber high performance canoes. According to the CEO, staffs in the company are on average at the age of 50 and above. Somehow they are a bit resistant to new technologies. Currently they are running on a Win NT network. Per your interview with the marketing manager, there is an increase in the demand for canoes in California. The company has been approached by a local canoe manufacturer from San Jose about a possible merger between the two companies. Your understanding on this is that, in the next one or two years, these two companies will still market their canoes separately under different brand names, however, the management will definitely want to see some sort of synergy in between. Last month a new representative office was opened in Kansas City, as the company can receive tax deduction from the city government.


Structure So far there is only one office location for Joe’s Canoe. There are 3 different departments: Marketing, Accounting, and Production. Each department has its own management team. The team leaders need to report to the CEO directly. Currently there are about 500 staffs. Of this amount, 60% of them will need to use computers in their daily operations.

Dealer Locations The CEO’s successor, James, has its roots as an IT consultant. He knows the importance of IT deployment. He likes to have all its dealers placing orders online to save processing costs. He recently built a VPN among the company and all its dealers. As of today, there are 6 dealers selling canoes for the company:

1. Algonquin Bound - Madawaska 2. Frontenac Outfitters - Sydenham 3. Gordon Bay Marine - Mactier 4. Muskoka Store - Gravenhurst 5. Adventure Guide - Kitchener-Waterloo 6. Boundary Bay Watersports - Whiterock, BC James is a MCP on NT 4.0. He likes to use Microsoft products. He wants you to implement a network design using Win2000 and active directory. There was a NT4 network implemented for the company. It consists of two domains containing accounts and resources. In addition, there are some other resource only domains that trust these two domains. James is not happy with the fact that trust relationships are so complicated to setup. He also dislikes that fact that scalability is limited with SAM.


Case 4: Questions 1. What domain model does the current NT4 network use? A. Single B. Single Master C. Multi master D. Complete Trust

2. What service does NT4 deploy for communicating on a TCP/IP network using NETBIOS names? A. DNS B. DHCP C. MRAS D. WINS

3. What does NT4 deploy for communicating on a TCP/IP network using NETBIOS names when WINS is down? A. DNS B. DHCP C. MHOSTS file D. LMHOSTS file


4. What is the tool used to configure the password policy across the NT4 domains? A. User Manager B. User Manager for domains C. MServer Manager D. Trust Manager

5. In the NT 4 network couple special applications have been installed on the servers that require registry modifications. When you perform the upgrade what should you first need to consider? A. Remove those applications B. Manually modify the registry C. MIncrease the memory D. Upgrade the CPU

6. Before you upgrade the servers to W2K, what action will you need to take to guarantee a smooth upgrade process? A. Check the HCL B. Inspect the power supply C. MDefrag the hard drive D. Format the hard drive


7. What tool can you use to check and find out if the old applications can be run in W2K? A. User Manger for Domain B. W2K HCL Checker C. MW2K KCC D. W2K Readiness Analyzer

8. You plan to use the Windows2000 Readiness Analyzer to check for application compatibility problems. How do you start this utility? A. Use the W2K resource kit B. Run Winnt.exe with /Check C. MRun Winnt32.exe with /checkup D. Run winnt32.exe with /checkupgradeonly

9. You found that there is a very important server side application that handles Joe’s Canoe CRM functions. This application does not run in W2K. In fact, the vendor was out of business. What can you do (Choose all that apply)? A. Look for a new application B. Keep a NT4 server to run this application C. MTransfer the data to the new application D. Apply service packs to the application


10. You found some old NT3.50 server in Joe’s Canoe ‘s headquarter. These servers have 266mhz processors and plenty of RAM. You want to upgrade them to W2K. What steps are needed for a smooth upgrade (Choose all that apply)? A. Upgrade them to NT 3.51 or 4.0 first B. Check the HCL C. MRun memory parity checks D. Scan the hard disk for bad sectors

11. You found an important application that needs to be upgraded. According to the documentation the same upgrade is compatible with NT4 and W2K. When should you upgrade this application? A. Before upgrading the server to W2K B. After upgrading the server to W2K C. MNo need to upgrade at all D. During the server upgrade

12. You want to have a fallback plan in case the upgrade fails. Which step will you take as part of your fallback plan? A. Take a BDC offline B. Run scandisk before the upgrade C. MCheck HCL before upgrade D. Check all the network cables E. Run Winnt32 with /checkupgradeonly


14. You want to find out the capacity of the WAN links between the company and the new location in Kansas City. What is the measure you need to find out? A. Bandwidth B. Speed C. MRate D. Throughput

15. What tool can you deploy to find out the latency between the head office and the new location in Kansas City? A. Ping B. NetDiag C. MNetStat D. Tracert

16. What tool in W2K combines the functionality of Ping and Tracert? A. Pingrt B. Routeping C. MNBTStat D. Netstat E. Pingpath

Notes:

Designing a Directory Service Architecture 81

Chapter 3: Designing a Directory Service Architecture The objective of this chapter is to provide the reader with an understanding of the following: • How to design an Active Directory forest and domain structure. •

How to design an Active Directory name strategy.

•

How to design and plan the organization unit (OU) structure.

• How to plan for the coexistence of Active Directory and other Directory Services. •

How to design and Active Directory site topology.

•

How to design a schema modification policy.

•

How to design an Active Directory implementation plan.

Getting Ready - Questions 1) What is an Active Directory forest? 2) What is meant by the term transitive trust?? 3) Do you need to register an Active Directory domain with an Internet registrar? 4) An Active Directory tree can contain multiple domains. True or False?? 5) What do you call the server Active Directory is installed on?


Getting Ready - Answers 1) A forest is a collection of domain trees that are combined to form a single unit. 2) If Domain A trusts Domain B and Domain trusts Domain C, then if Domain, the trust is transitive, Domain A must also trust Domain C. 3) No, but if you want to use your root AD domain name as an Internet entity you do have to register it. 4) True. The tree is your Active Directory namespace, which references multiple domains. 5) The domain controller?

I

Introduction

You have, for the most part, left the analysis and research behind. This is where you use all the data you have collected to begin the actual Active Directory design process. The Microsoft Exam concentrates most of its questions in this chapter so pay close attention. I will begin by first investigating the AD forest and domain structure and then explore how it affects the design. You will be studying naming strategy, OU structure, implementation, schema modification plans, site topology and how AD coexists with other directory services.


II Design an Active Directory Forest and Domain Structure This section covers the design of the forest and domain structures and how they serve as the foundation for the entire Active Directory deployment. It is critical to be able to use the data you have accumulated to design an AD infrastructure best suited to the environment you are going into. In particular you will learn the following essential design tasks: • • •

How to design a forest and schema structure. How to design a domain structure. How to analyze and optimize trust relationships.

Design A Forest and Schema Structure A forest is a collection of domain trees that are combined to form a single unit as illustrated in Figure 3-1. Active Directory does not limit you to creating and managing one domain. In fact when you first create a new domain, when executing the DCPROMO utility, you are prompted to add the domain to an existing forest, or create a new forest. If you are deploying Active Directory for the first time in an organization you will need to first create a forest before you can continue. This is done so that the new domain can be placed into it. If you are creating a new domain in an organization that already has an existing forest, you will be prompted to create a new domain tree in the forest, or attach the domain to an existing tree. Whatever is required you will either have to create a new forest or join an existing one.


Figure 3.1: A forest is a collection of domains.

You will add more trees to the forest when you inherit or acquire the infrastructure that belongs in other domains. These domains can be Windows 2000 domains, or legacy Windows NT domains. So you can old and new domains to existing forests and depending on the type of domain you will need to manage a trust relationship between the domain and domain trees in the forest.


Design A Domain Structure Domain structures can be as different as the companies that have deployed them. But creating the domain structure follows similar course of action for every enterprise in general and AD domain structure in particular. Domains are full-blown security and administration entities of your network so it is vital to properly design a domain structure because once you have created the domain and begun populating it, you will not be able to change the foundation structure. The remainder of this chapter will assist you in designing the correct domain structure.

Analyze and Optimize Trust Relationships You will always have trust relationships between the domains in your Active Directory forest. If the domains belong to the same domain tree the trusts between the domains will be implicit and transitive. If the domains are not part of the same domain tree the trusts will have to be explicitly created and established between the separate domains. If trusts need to be explicitly created you will need access to the other domain or the cooperation of the other domain’s network administrator. Creating trusts between Windows 2000 domains not part of the same domain tree, or between Windows 2000 and Windows NT domains follows the same process as creating trusts between two Windows NT domains.


III

Design An Active Directory Naming Strategy

The key to a successful Active Directory implementation is coming up with a feasible and usable naming strategy for the objects in the directory. You thus need to establish a set of naming standards and the policy required to name objects within the environment. This will require you to review much of the material you have gathered during the analysis stage to determine what naming conventions and strategy will work for your enterprise.

Establish the scope of the Active Directory Using the information gathered during the analysis stage you will need to determine the scope of your Active Directory implementation. Depending on the size of your enterprise there may be systems, networks, implementations, and so on that Active Directory will not be able to cover. On the one hand the scope may cover the network logins for every user if all users have a Windows computer and use that machine as their startup for network services, and this is very common. But there are also bound to be situations, such as logins to NetWare and UNIX servers, share-points on midrange and mainframe systems and so on, that Active Directory will have no control over. Many of these external systems will likely have their own established naming schemes.

Design A Domain Structure Using a legal or accounting pad make your first task to sketch your root domain or in AD terms, the root domain object. If this root domain will also be your Internet root domain, you should register it with an Internet domain administration authority as soon as possible.


If you already have a root domain you will be able to create an object that represents it in AD and link it to the DNS server hosting or resolving that name. If you have not registered your domain you might not be able match it to your company name, because someone else may have already claimed it. This root domain in fact becomes the first container object you create in your chain of objects that represent the “expanse” of your local network logon domain in AD. Under this domain you would create more container objects that represents the organizational units within your enterprise. For example, you might create a domain called mcity.org and register it with an Internet registrar. There are also security considerations we will also address later. It is entirely feasible and good practice to create sub-domains under the domain root that reflect subdivision of resources, departments, politically, and geographically diverse divisions of an enterprise, acquisitions, resource entities and more.

Plan DNS Strategy There is a direct connection between the AD domain and the DNS domain. For example, a root domain of ABC Company might be abc.com. You could then easily create a subdomain of abc.com called marketing.abc.com. Note that the .com should not be your domain root, because the Internet authorities own that domain root. Keep in mind that we are still only creating objects from an AD point of view. These domain objects are container objects, with name attributes for easy lookup and management (and GUIDs for internal tracking and identity). What we are actually asking AD to do is maintain the first domain as a root container object, which in turn contains subordinate domain objects.


IV Design and Plan the Structure of Organizational Units (OU) Organizational units (OUs) are key container objects in which you can group classes of objects. OUs can, for example, contain objects such as user accounts, printers, computers files shares, and even other OUs. In AD you can create these containers to reflect your enterprise or organization. To illustrate I re-created the organizational chart major US city and merged it into the domain of a cyberspace city called Millennium City as illustrated in Figure 3-2.

Figure 3.2: An Organization Unit.

Your organizational discussed in Chapter 1 show the hierarchy of departments and division in an organization at the time a directory is being contemplated. Your charts will show a diverse collection of departments, both local and geographically dispersed, and various sites and services. You can then map the same organization chart to the OU objects in the AD.


In any domain on the domain path you can create organization units, and inside these organizational units you can create group, user and computer objects. You can also add custom objects to the domains and OUs. AD lets you also create any end point or leaf object outside the OU.

Reflection of the Enterprise Using the analysis you have performed so far you will begin to design the OU plan to reflect the following aspects of the enterprise: • •

• •

Administrative Control: The plan should reflect the various levels of control required by the enterprise. Administrative Policy: The administrative policy lays down the objectives and practical aspects of delegating administrative control over the various OUs, and how this will be achieved when you create the OU structure. Geographic Structure: The plan should address how the geographic layout of the enterprise will be reflected. Company Structure: The plan should address how the company or enterprise layout will be reflected

Organizational units or OUs allow you to delegate administrative control throughout the enterprise. With each department or division represented by its own OU, resources in that department can be maintained by delegating the responsibility of the management to an administrator in that department. The OU plan also lets you map the geographic layout of the company in Active Directory. OUs belonging to remotely located entities will also be present in Active Directory, and you’ll need to provide the necessary services for remote access and the bandwidth to ensure adequate updating of group policy, security and so forth.


Develop An OU Delegation Plan Every OU in Active Directory has a set of permissions that either grant or deny read and write access to the OU. This enables you to delegate administrative rights or privileges from the highest OU down to the lowest OU in the directory. Mapped to your organization structure this becomes an effective means of delegating administration of Active Directory, partitioned by OUs, across the enterprise. With the cooperation of team leaders and department heads develop a plan to delegate the administration of OUs to responsible people within the enterprise.

Plan Group Policy Object Management Along with OU administration delegation comes group policy object administration. Keep in mind that responsible people should manage the GPOs. In many cases the people delegated GPO management could and should be the same people delegated the task of administrating the OU. There are hundreds of settings in GPOs that control the user environment. They are too numerous to mention the list here and I have discussed some of the options earlier. The object management should not just be handed over to administrators to do with what they want. They should follow policy set up for the entire enterprise and allow flexibility at the OU level. For example, all users would likely be prevented from browsing directly to the Internet and GPOs will enforce a proxy or firewall address for them to browse to. You can allow administrators to override that for their OU if there is a need to allow power users to redirect their browsers to other gateways.


Plan Policy Management For Client Computers GPO extends over client computers and their users, starting at the site level, then going down to the domain level and then finally the OU level. At these levels administrators can control how users and clients are influenced by the GPO settings. Your GPO management plan should start at the site level to first decide how users and computers are influenced at the site level. For example, if policy requires all folders in the enterprise to be redirected to servers then that policy should be applied at the highest level possible for the site or domain. The higher the level of GPO application the broader scope or coverage is desired.


1. How many Primary Domain Controllers can you have in an Active Directory domain? 2. Windows Internet Name Services (WINS) resolves AD domain controllers? True or False? 3. Are all domain objects stored in one huge Active Directory table? 4. What service needs DNS to let you authenticate to a domain? 5. Does Active Directory use single-master or multi-master replication?



1. Only one. To emulate the PDC servicing Windows NT domains. 2. False. Resolving the domain controller is does by DNS. 3. No. Each domain is given its own partition in the Active Directory database. 4. The netlogon service. 5. Multi-master?

Notes:


V Plan for the Coexistence of Active Directory Services Active Directory coexists with other directory services using connectors. One of the most important connectors is the Exchange Connector, which is tricky to install. There are also other directory services that can coexist with Active Directory. As you are aware AD is LDAP compliant and can thus interoperate with other LDAP directories like NDS and X.500. Active Directory also integrates with WINS, DNS and DHCP, but the integration of the latter services is so tight that you really have little configuration to worry about.

Coexistence of Active Directory Services Active Directory makes use of connectors to keep the data between dissimilar directory services synchronized. In other words changes in one directory are propagated to other directories. This propagation strategy through connectors is the fruit of Microsoft’s strategy to promote the concept of a single point of management for all network resources. For example, if your company depends on Novell NDS, but makes use of AD for several server services, such as login to SQL Server, then you could conceivable have accounts for a user in both directories? What you then need to do is install the AD connect on the AD server in order for it to forward changes to a user account in AD to the user in NDS.


VI

Design an Active Directory site topology

Active Directory Site Topology becomes an issue when deploying across multiple locations connected by a WAN. The configuration of a multi-site AD domain structure can take on numerous forms. In many cases the AD site topology needs to be configured with an existing WAN topology. You will use AD to control network traffic across these WAN links, but you also need to consider the network bandwidth that AD needs to perform replication, and communicate with network services across the WAN.

Design A Replication Strategy Windows 2000 supports two basic types of replication: • •

Intrasite Replication, which takes place between two or more domain controllers within a site, and Intersite Replication, which takes place between domain controllers in different sites.

You will need to understand how both work to successfully plan a replication infrastructure and plan the topology and resources. When you promote the first domain controller Active Directory creates a default site named Default-First-Site-Name and places the domain controller server into that site. You can change the name of the default site to reflect the conventions in your deployment plan or you can create a new site after the promotion and move the server into that domain. It is not necessary to create subnet objects for replication between servers. Active Directory sees the root DC server in the site you create and puts the root DC of the child domain in that site. The Active Directory site is associated with an IP subnet. The Active Directory replication topology is built either via the site and subnet topology, or between the domain controllers, or both. When you have two domain controllers on the same site the replication that takes place between the controllers happens very quickly, or at the speed of your local area network to be more precise which could be anything from 10 to 100 Mbps or more.


But when you move your DCs to remote sites the new site becomes associated with the remote subnet you will need to communicate with.

Define Site Boundaries A collection of computers that are connected together on a fast, reliable and wellconnected network should be considered as your AD site. In other words if a small office of twenty computers are all connected to the same hub and switch equipment and the backbone between the servers is 100 mbs and the bandwidth to the clients is at least 10mbs you have the makings of site. Server and computers that can only be reached over less reliable connections, such as T-1 speeds (1.5mbs), dial-up services, and other WAN links do not become members of a site. In other words if you have two collections of computers, even if they are only separated by a courtyard, and both groups are connected by unreliable or lowspeed networks they then logically form two sites. Even if the other site only contains one server at the other end of the low speed network, it is logically considered a separate site, likely requiring its own AD domain controller.


1. An Active Directory domain is one large organization unit? True or False? 2. How do you represent decentralized IT management in Active Directory? 3. What is change control? 4. Group Policy only affects users when they logon True or False? 5. How do you use group policy to ensure your employees only browse to authorized sites on the Internet?



1. False. It comprises many organizational units? 2. Delegate the administration of the OU to the decentralized staff. 3. It is the ongoing management of IT resources. 4. False. Groups policy affects the actual computer as well. 5. Group policy can force users to access the Internet through a proxy server, which controls what they can and can’t visit on the Web.

Notes:


VII

Design A Schema Modification Policy

The schema that is created when you install AD is sufficient for most enterprises, but there are a number of circumstances in which you will have to modify the schema to accept a new configuration, or integrate AD with a new service that requires space in the AC database. In such cases you will need to modify the schema. The schema change comprises adding new objects, changing existing ones, and manipulating various AD classes and objects. It is highly unlikely that you, as a network or AD administrator, will ever modify the schema directly, so you policy will revolve around who is allowed to modify the schema, and this will mean deciding who will be a member of the Schema Admins group. The schema can be modified by products, such as Exchange 2000, which add objects for email and addressing and so on. Other ISVs may also modify the schema, and add fields to existing objects, and so on.


1. An Active Directory site comprises all domains in the forest? 2. What is an Active Directory connector? 3. Which Active Directory Domain Controller holds the schema? 4. What type of replication takes place between domain controllers in the same site? 5. What so special about the Dynamic DHCP service?


Pop Quiz 3.3 (Answers) 1. False. A site’s boundary should not extend over slow network points and should all computers should be connected on the same high-bandwidth network segment. 2. It is a protocol that allows services to directly integrate with Active Directory, such as Exchange and SQL Server. 3. The Schema Master. 4. Intrasite replication. 5. It allows DHCP clients to automatically register themselves with the Microsoft DNS.

Notes:


VIII

Design Active Directory Implementation Plans

By now you will have a good idea of the nature of your enterprise and be in a position to move forward with your implementation plan. The following bullets suggests a possible layout or breakdown of the plan: • • • • • • • • • • • • • • •

Describe the business management model in use Describe what IT management model is in use Describe the network infrastructure and how it is managed Document the number of users, workstations and clients, and servers Document and describe the network services offered Describe the scope of the AD project Describe how information and communication flows through the company Describe the structure of the IT/IS department, and the accessibility of personnel data Describe the existing and future change management resources Describe the he existing domain structure, if any Describe the existing and planned OU structure Describe the AD site boundaries Describe User and Computer Management, and how change control procedures and policy will be put in place to govern this. Describe the present and planned interconnection and interoperation with other directories Document the necessary policies to be followed, such as Schema Modification Policy.

After the extensive analysis and research you have undertaken the most important product and service you will now produce is a reference document gathering up all the data into a detailed implementation plan.


This document will describe how you will layout the Active Directory sites and the boundaries (network segments) of the sites. How desktops are going to be managed, and how change control is going to be put in place and enforced. How trusts between Windows 2000 and Windows NT domains will be catered to. How trusts between Windows 2000 domains and UNIX realms (and NetWare networks) will be implemented. If you have done your homework you will probably know more about the enterprise than any one else at the enterprise. Make the plan as detailed as possible and cross-reference all pertinent information discovered during the analysis stage.


IX

Chapter 3: Summary

This chapter provided an introduction into the early design and planning of your Active Directory Service Architecture. Microsoft will expect you to have a basic understanding of what you need to know about the enterprise to properly plan and implement the organizational units. You are also tested on the functions of the schema and the various aspects of the Active Directory database. At this point you should be ready to assign permissions to the people delegated to modify the schema and the various types of modifications that can be made to the schema. You also need to know what of the schema cannot be modified, how and when the schema is modified and how Active Directory manages objects.


X

Chapter 3: Post-Assessment Case 8: ProX Auditing Group

You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by ProX Auditing Group to design the Active Directory for the entire company.

Background ProX Auditing Group (Figure 3-3) uses a logical sequence of steps to perform audits in the most efficient, effective, and timely manner possible. Its audits comply with the highest professional standards and lend credibility to Client Company's financial statements. Its experts can assist the clients in improving internal controls and operating efficiency, as well as recommend enhancements to make Client Company more profitable. ProX offers the following audit services: ProX Austin

• • • •

General financial audits Review of agreed-upon procedures Analysis of internal and operating controls Review of computer systems for proper operation and control procedures

ProX Kansas

• • • • •

Due diligence audits for mergers and acquisitions Federal single audit compliance Compliance with GAO "Yellow Book" requirements Compliance with grant requirements Compliance with loan covenants/regulatory requirements


Client Sectors: 1. Agriculture 2. Auto Dealers and Auto Repair 3. Beverages 4. Construction and Logging 5. Financial Institutions and Trusts 6. Governmental 7. Health Care Professionals 8. Lodging and Food Service 9. Insurance Services 10. Manufacturing 11. Non-Profit Organizations 12. Professional Service Firms 13. Real Estate 14. Retail and Wholesale Businesses 15. Timber 16. Trucks and Transportation


Organization Structure

Figure 3.3: Organizational of ProX Auditing Group

The SF office is the head office. All the offices share the same set of rules and standards. The three ProX offices are interconnected with high speed T1 lines. Currently they are running on Netware 4.X. However, for file sharing, some NT servers are deployed as well. These NT servers are working together with the Netware 4.X servers on the same network. Clients are mainly Win98 based.


Case 8: Questions 1. The CEO is very nervous about the upgrade. He wants to be sure that the upgrade will be conducted smoothly. He also wants you to determine if there is any problem with the upgrade. What will you do to address this issue? A. Run a test lab network B. Run simulation software C. Check the HCL D. Run Winnt32 with /checkupgradeonly

2. How many forests will you deploy for ProX? A. 1 B. 2 C. 3 D. 4

3. How many trees will you deploy for ProX? A. 1 B. 2 C. 3 D. 4


4. How many schema masters will you deploy for ProX? A. 1 B. 2 C. 3 D. 4

5. How many infrastructure masters will you deploy for ProX? A. 1 B. 2 C. 3 D. 4

6. What option do you have when creating sites for ProX? A. You can have multi – domains for the same sites B. You can have multidomains for multi – sites C. You can have one domain spread over multi - sites D. You can have one domain for each site in each office


7. What protocol does the servers of ProX’s current network use? A. NWLink B. TCP/IP C. NetBEUI D. Appletalk

8. What will be the valid design decisions regarding the AD name space for ProX, if the 3 offices will be of totally different domains (Choose all that apply)? A. Uses Sanfrancisco.prox.com for the head office B. Uses Austin.prox.com for Austin C. Uses Kansas.prox.com for Kansas D. Uses www.prox.com for all the offices

9. After the upgrade, you want to configure and analyze the security of the new network. What software interface can you use to do this? A. MMC B. SecureMan C. Admintools D. Netstat E. NBStat


10. After the upgrade, you want to configure and analyze the security of the new network. You also want to deploy security template to configure the settings for each system. What software can you use to do this? A. Security Configuration and Analysis snap in B. Security Configuration snap in C. Security Analysis snap in D. Security Template snap in E. None of the above

11. All the NT computers have been upgraded to W2K. You modified some of their local GPOs, and then found out that some of the modifications are not effective. What is the likely cause? A. Some local GPOs are affected by policies that are not local B. Some local GPOs are not compiled C. Some local GPOs are not saved with the new settings D. Some local GPOs are not associated with the systems properly

12. What tool can you use to modify group policy per the request of the CEO (Choose all that apply)? A. MMC B. Group Policy snap in C. Template snap in D. AD Computers and Services snap in E. AD Domain and Trust snap in


13. You want to be able to remotely access the ProX server so that traveling cost can be avoided. What components will you need to make this work (Choose all that apply)? A. Terminal Service running on a W2K Server B. Terminal Service and Terminal Service Client running on a W2K C. Server D. Terminal Service running on your computer E. Terminal Service Client running on your computer

14. In the new ProX network, you want to analyze packets that are destined for all the computers on the network segments. You do not want to involve a high cost in doing this. What tool can you use? A. Network Monitor that comes with W2K B. Packet Sniffer that comes with W2K C. Proxy Server 2.0 D. Full version of SMS

15. In the new ProX network, you want to analyze packets by putting your NICs into “promiscuous mode”. You do not want to involve a high cost in doing this. What tool can you use? A. Network Monitor that comes with W2K B. Packet Sniffer that comes with W2K C. Proxy Server 2.0 D. Full version of SMS

Notes:

Designing Service Locations 111

Chapter 4: Designing Service Locations The objective of this chapter is to provide the reader with an understanding of the following: •How to design the placement of the operations masters. •How to design the placement of the global catalog. •How to design the placement of domain controllers. •How to design the placement of the DNS server.

Getting Ready - Questions 1) What factors do you need to focus on to ensure successful single master replication? 2) What Active Directory server is required for login? 3) Is it possible to rename the administrator account for security? 4) Active Directory and Windows 2000 Security is based on the NTLM protocol. True or False? 5) How many operations master can you have in a forest?


Getting Ready - Answers 1) 2) 3) 4) 5)

I

Performance, Fault Tolerance, Functionality, Manageability. Global Catalog Server. Yes. False. It is based on Kerberos. 1.

Introduction

We are really talking here about server placement because the objective of this chapter, and what Microsoft is testing has to do with the location of the various servers (and their services) in an Active Directory implementation. You will need to understand what’s required with respect to network overhead, cost, access and so on. You will also need to consider issues such as fault tolerance, administration, performance and so on.


II

Design placement of operation masters

You should know the difference between a single-master and a multi-master environment but let’s refresh your memory. A single-master environment means that only one copy (the PDC on an NT network) can be updated. A multi-master (Active Directory installed on several peer domain controllers) directory lets you write to any DC database. The changes or additions are then replicated to the other domain controllers. However, there are certain operations in Active Directory in which only a single database can be updated in single-master style. A server that is the master for several operations usually performs this, and the services are known as the operations masters. These operations masters are responsible for propagating all changes to the other servers, similar to how the NT PDC updated its BDC databases through the synchronize process. The single-master tasks vary from forest-wide tasks to domain oriented tasks. They include the following operations: • • • • •

Schema Master (forest wide) Domain-naming master (forest wide) Primary Domain Controller Emulator (Domain) Relative Identifier Master (Domain) Infrastructure Master (Domain)

The domain-naming master server’s function is to add a new domain to the forest. When first installing AD this master is the first to be created in the environment. The domainnaming master is then used keep a watch on domain operations. For example, it checks to make sure additional domains of the same name are not added to the forest. The job is not critical and for most enterprises with only one domain this master performs very little day-to-day work. The primary domain controller (PDC) emulator replaces the Windows NT PDC to allow for the establishment of mixed Windows 2000 and Windows NT domains. There is only one PDC emulator in each mixed domain.


Depending on the environment if you have multiple Windows NT resources domains it might make more sense to develop a trust between the actual NT domains and then gradually move the resources over to the Windows 2000 domain. Then you switch the domain to native Windows 2000 mode and drop the NT Servers altogether, which obviates the need to have the emulator service. The Relative Identifier Master is placed to ensure that all relative IDs (RIDs) used in the allocation of security identifiers (SIDs) are unique. In stable environments that do not change much this role is not very important. Once the pools are assigned the service can be taken offline. In large networks that see a lot of changes, new objects created every day, such as new users, new files, and so on, you need to make sure this master can be contacted if the RID pool is exhausted. The infrastructure master is responsible for maintaining cross-references between domains. When an object in one domain is renamed this master ensures all other domains are updated with the changes. This is not a critical service and small network that only operate in one domain do not need this master. You’ll need to keep this server up, on a separate machine to the global catalog, only in environments that comprise many domains and a lot of network traffic and operations inside and between them. Microsoft provides a number of factors you need to focus on to ensure successful single master replication occurs. These recommendations are as follows: • • • •

Performance Fault Tolerance Functionality Manageability


There can only be one operations master in a forest, and usually only one per enterprise. This server is the first server AD is installed on when a new forest is created. Most operations that require AD can take place without the operations master, but a number of tasks, such as schema changes, require its presence. A good example is adding a new domain to a forest tree. The operations master needs to be contacted before this can be done. The operations master can also be transferred to other servers; but it should be kept close to the IT department, on a solid backbone, because it is likely that only the high-level IT people will have the ability to make changes to the AD infrastructure that will require the presence of the operations master. The placement of the masters should follow these guidelines: • • • • •

Schema Master: Not an issue because the overhead of its operations only maters during schema modifications. Domain-naming master: Not an issue because the overhead of its operations only maters during schema modifications. Primary Domain Controller Emulator: Related to the number of NT 4.0 Domain Controllers Supported. Relative Identifier Master: Not an issue. Infrastructure Master: Depends on the number and frequency of name changes.

Fault Tolerance • • •

• •

Schema Master: Not an issue. Domain-naming master: Not an issue. Primary Domain Controller Emulator: You should always have at least two DC computers per domain, specifically to ensure that intra-domain replication is not affected Relative Identifier Master: Not an issue. Infrastructure Master: Not an issue because on name changes are affected and recovery is prompt.


Functionality •

• •

• •

Schema Master: Not an issue, can be done after hours, so server can perform other roles but it is better to perform schema modifications during quite periods, in other words when there is little processing taking place on the server. Domain-naming master: Not an issue, can be done after hours, so server can perform other roles. Primary Domain Controller Emulator: Related to the number of NT 4.0 Domain Controllers Supported. Do not delegate this server to non-network task or mainstream server applications, like email and database access. NT Servers should always have ready access to this server. Relative Identifier Master: Not an issue, can be done after hours, so server can perform other roles. Infrastructure Master: Depends on the number and frequency of name changes, in general avoid giving a busy server this role. Keep this server close to the central infrastructure hub.

Manageability • • • • •

Schema Master: Place close to IT department because it is usually the IT people that perform schema updates Domain-naming master: Place close to IT department for the same reasons as schema updates Primary Domain Controller Emulator: More important to place server for functionality. Relative Identifier Master: More important to place server for functionality. Infrastructure Master: More important to place server for functionality.


Pop Quiz 4.1 (Questions) 1. What is a .SRV record? 2. WINS is being phased out by 2004. True or False? 3. What service controlled by group policy at the OU level can ensure that your clients data is always backed up on the server? 4. Who can logon to AD even if the Global Catalog Server is down? 5. What tool lets you move users from one Windows 2000 domain to another?



1. It is the record that allows us to resolve domain controllers. 2. False. WINS will always be required to provide NETBIOS name Resolution. 3. Folder redirection. It forces files saved at the users computer to be redirected to server shares. 4. Any member of the Domain Admins group. 5. MoveTree.

Notes:


III

Design the Placement of Global Catalog Servers

The trees within a forest share a common global catalog (GC). The server on which the first or root domain in a forest is created is usually the GC. The GC server is an AD DC that holds a partial replica of the entire forest. As such is critical for login authentication because every user’s object is contained in the GC. Frequently access information is stored in the GC, but information that does not change much, like printer settings need not be stored in the GC. The following placement issues need to be considered for the GC server. •

•

• •

Performance: Global catalog servers are required for login and authentication so they should have sufficient resources such as processor power and memory. The catalog server (often installed on the single DC) should provide the same performance bandwidth as specified for the domain controllers discussed in the next section. Fault Tolerance: Plan for more than one GC server in larger organizations with many employees, or enterprises that demonstrate a large number of AD searches. Having at least two GC servers eliminates the single point of failure or that logon and authentication traffic is kept local to the WAN segment. Functionality: It is always better to dedicate a server to the GC role. Manageability: The servers do not generate much management effort, so rather deploy for


IV

Design the placement of domain controllers

The primary consideration for the placement of domain controllers is performance. They should be placed in such a manner that users do not notice or suffer from latency, poor response, delayed policy updates, and so forth. A poorly placed DC can result in server crashes, corrupt data and network problems resulting. You can place the DCs in a centrally located arrangement, which would reduce replication traffic out on the WAN. The problem with this, however, is that you would be substituting replication traffic for authentication and logon traffic. Access, however, is an even bigger issue than traffic, because if a WAN link goes down users out on the network are essentially left in the cold until the link is restored. A better approach is to locate domain controllers as close to origination of authentication as possible, and on the local subnet on which user and server logon is required. Replication should then be managed in such a way that bottlenecks do not occur and bandwidth is adequate. The rule of thumb is to deploy for performance rather than network traffic, and thus physically disperse the DCs.


Microsoft provides a number of factors you need to focus on to ensure successful single master replication occurs. These recommendations are as follows: •

•

•

•

Performance: In mixed NT 4/2000 environments place the DC/PDC centrally or close to the NT 4 PDC because you need adequate bandwidth to ensure data is replicated. In homogenous environments place the DCs near users and ensure they have adequate resources to handle the logon traffic. Fault Tolerance: If the PDC emulator is linked to the PDC via a WAN link, ensure you have network fault-tolerance that would enable you to quickly reroute replication traffic. In homogenous environments place at least two DCs to avoid crossing WAN links for authentication should a DC fail. Functionality: In mixed environments deploy for network functionality, as opposed to providing services, such as print queues or file server functions. This holds true for homogenous networks, unless your network supports a small number of users on a single subnet. Manageability: The DCs require more consideration for bandwidth than manageability so they do not need to be close to administrators. The order is performance and fault tolerance than manageability.

Pop Quiz 4.2 (Questions) 1. What is a schema? 2. Who can modify the AD schema? 3. What is Native Mode? 4. When you plan to migrate to AD, which objects do you move first? 5. The PDC emulator is a forest wide role. True or False?


Pop Quiz 4.2 (Answers) 1. The definition of a database. 2. Any member of the Schema Admins Group. 3. The environment in which all servers have been upgraded to Windows 2000. 4. Users and Groups. 5. False the PDC emulator operates within the definition of a domain.

Notes:


V

Design the placement of DNS servers

DNS is the critical technology in Windows 2000 networks because; DNS is used by the Netlogon process to locate domain controllers. If DNS fails you lose the DCs as well for all intents and purposes. Microsoft heavily tests DNS. Placement of DNS should cater to availability and performance above all else. Microsoft provides a number of factors you need to focus on to ensure successful single master replication occurs. These recommendations are as follows: •

• • •

Performance: More consideration should be given to resources of DNS servers than network bandwidth because DNS traffic is not heavy, even in big organizations where even replication can be light. However, place DNS servers close to users so that resolution is not prevented by WAN link traffic problems or link failures. Fault Tolerance: Plan for a secondary DNS close to the user if possible. You may also place the DNS on a DC if you have adequate resources on the machine. Functionality: It is better to dedicate a server to the role of DNS, but it can be placed on an adequate DC in smaller enterprises. Manageability: Staffing is an important consideration here because DNS administrators are few and far between. Many outsourcing companies and service providers offer DNS servers for Internet resolution, however, Windows 2000 requires you to bring a DNS server in-house, no matter what the size of the enterprise is.

Plan For Interoperability With The Existing DNS If you already have DNS services in-house, which is usually the case in larger enterprises resolving legacy systems, UNIX services and so on, interoperability is a critical consideration. You can continue to use existing UNIX or standard Windows server based DNS.


However, using Microsoft’s DNS Server service offers a number of important considerations as follows: •

•

• •

SRV Resource Records (.SRV): These records are defined in RFC 2052 and identify the location of a service rather than a device. On Windows 2000 network they are used to locate the logon service. Dynamic Update: Also known as DDNS for dynamic DNS, this feature lets hosts dynamically register their names with the zone. It thus helps reduce TCO by lessening the work of administrators. Secure DDNS is used to authenticate hosts that attempt to register with a zone, which is important for WAN setups and complex heterogeneous networks. Incremental Zone Transfer: The benefit of incremental zone transfer is reduced network traffic because only changed data is replicated. DHCP Server Interop: Microsoft’s DHCP service can use DDNS to dynamically register on behalf of clients.

As mentioned earlier you cannot deploy a Windows 2000 network without DNS, so if you plan to use existing non-Windows DNS servers make sure they support the service location records (.SRV) discussed in the above points. Support for the dynamic update protocol is also an important consideration. Whether you use Microsoft DNS or some other flavor you’ll need to upgrade to meet the above criteria. If you employ non-Microsoft DNS servers you will probably be risking death by horrid means if you suggest replacing them to the DNS admin. Microsoft’s suggestion is to deploy its DNS server as a secondary sever that is primarily serving the Windows 2000 network (but this is not a question you will likely be required to answer).


VI

Chapter 4: Summary

This chapter covered the placements of the various servers and the services and roles they play. The common consideration is to ensure that users can quickly logon and gain access to their services. If the enterpriser is complex, widely distributed and has a substantial network in place that is hard to change deploy catalog servers and domain controllers as close to the users as possible. Avoid forcing clients to resolve logon services or authenticate across WAN links.


VII

Chapter 4: Post Assessment Case 15: MyTeapots

You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by MyTeapots to design the Active Directory for the entire company.

Background Since 1970 MyTeapots has been offering products of slate, natural rock, and exquisite crystal water fountains. As a mail order house located in Texas, MyTeapots has its warehouse located in San Jose to serve the customers in the Bay Area. Another office will be opened in New York shortly. Products The major product lines available: • • • • •

Yixing Teapots Chinese Jade Teapots Taiwanese Teapots Japanese Tetsubin Tea Accessories

In addition, MyTeapots offers fresh handpicked, full leaf teas. The line of unblended and blended full-leaf varieties include: • • • • • • • •

China Green Teas Japan Green Teas Indian Green Teas Vietnamese Green Teas White Teas Jasmine Teas Oolong Teas Black Teas


Departmental Structure There are 5 departments in the company. The TEA department handles the sales of Tealeaf. The TEAPOT department handles the sales of teapots. The ACCESSORIES department handles the sales of Tea accessories. The WAREHOUSE department handles the inventory. The ADMIN department handles the in house administration. The management of the company has decided to upgrade to W2K and deploys a single domain model for the AD. There will be 2 sites in the AD, one in Texas and the other one in San Jose. The 2 sites will be connected with a 64KBPS links.


Case 15 Questions 1. You need to configure the RUN command settings for all users in MyTeapots’s network. What do you use for this type of configuration? A. Deploy Computer Configuration settings B. Deploy Network Configuration settings C. Deploy Group Configuration settings D. Modify the logon script

2. You need to configure the Start menu and taskbar settings for all users in MyTeapots’s network. What do you use for this type of configuration? A. Deploy Administrative template B. Deploy Network Configuration settings C. Deploy Metadata template D. Modify the logon script

3. You need to configure an application for all users in MyTeapots’s network so that the application will be available next time the users log on. What do you use for this type of configuration? A. Assign the application B. Publish the application C. Pinpoint the application D. Modify the logon script


4. What problem will you foresee in MyTeapots’s site design? A. Connection between the sites may be too slow B. Connection between the sites may be too fast C. Connection between the sites is ok D. The link is too expensive

5. The president of MyTeapots has a new desktop computer in his office. He wants to associate his computer with multiple sites. Is this possible? A. Yes B. Yes, if he has multiple NICs C. No D.

6. You have configured couple site links for MyTeapots’s head office in Texas. One link has a cost of 50, while another one has a cost of 100. Which link will be preferred for making connections? A. The link with a cost of 50 B. The link with a cost of 100 C. Either one D. Decided randomly E. Deployed on a round robin fashion


7. What protocol will you deploy for replication across site links in MyTeapots’s AD, given the fact that the WAN connection is not too reliable? A. IP B. SMTP C. SNMP D. Both IP and SMTP E. Both IP and SNMP

8. You need to install an application into MyTeapots’s AD. This application will need to add object classes and attributes into the directory schema. What role do you need to have in order to carry out the installation? A. You must be a member of the Schema Admin group B. You must be a member of the Object Admin group C. You must be a member of the Schema Manager group D. You must be a member of the Schema Creator group

9. You want to modify MyTeapot’s AD schema programmatically. What do you need for this purpose? A. ADSI B. ADSL C. ADO D. XDO


10 You will be running only W2K servers on MyTeapots’s AD. Which of the following is recommended regarding the implementation of the AD? A. You should have W2K running in Active mode B. You should have W2K running in Native mode C. You should have W2K running in Mixed mode D. You should have W2K running in Combined mode

Notes:

Appendix A 133

Appendix A: Chapter 1: Post Assessment Answers Case Study1: Rocky Mountain School of Music You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by the Rocky Mountain School of Music to design the Active Directory for the entire school.

School Mission The mission of the Rocky Mountain School of Music is to advance the art of music and its related disciplines. It seeks to educate students in the various fields of the profession and to promote an understanding of music. The School endeavors to preserve diverse repertories and cultural traditions while also creating opportunities for artistic, intellectual, and scholarly innovation in the realm of music. The School is dedicated to excellence in research, performance, composition, and teacher education, undertaken in a spirit of collaboration among its own constituents.

School Background The Rocky Mountain School of Music is consistently ranked among the strongest professional music schools in Canada. It attracts outstanding students and faculty in composition-theory, music education, musicology, and performance. The school is large enough to provide a wide variety of experience for students seeking degrees in music. At the same time, the atmosphere of a smaller school prevails with emphasis on individualized instruction in performance, comparatively small classes, and a faculty and staff that cares about its students. As a significant cultural resource, the School of Music serves the musical needs of the community, the region, the state, and the nation, and its influence is felt on an international level as well.

134 Appendix A: 70-219 Certification

One measure of a university's quality is the success of its graduates. Among the more than 10,000 alumni of the School of Music are 5 Pulitzer Prize winners in composition; members of major symphony orchestras, opera companies, jazz ensembles, and professional choral groups; and faculty members at many of the nation's most prestigious colleges and universities. Music education graduates direct some of the finest elementary and secondary music programs throughout Canada as well as in foreign countries. The school is proud of its record in assisting qualified graduates to assume leadership roles in the music profession through career counseling and professional advising.

Programs Offered The Rocky Mountain School of Music has 2 degree programs available:

Bachelor of Music Specializations available in: • • • •

Applied Music Composition-Theory Music History Open Studies

Bachelor of Music Education Specializations available in: • • •

Choral Music General Music Instrumental Music

Appendix A 135

Divisions The school currently has the following divisions:

• • • • • • • • • • • • •

Brass Composition-Theory Music Education Musicology String Woodwind Accompanying Jazz Organ Percussion Piano Piano Pedagogy Voice Divisions

Faculties The strength of the school lies in its distinguished and internationally known faculty, who are committed to teaching and at the same time maintain active performance schedules, contribute substantially to research in all areas of music. The school is justifiably proud of the excellent facilities, nationally recognized degree programs, and enjoyable campus life, but these are secondary considerations when compared to the quality education provided by the faculty for the students. The professional relationship between students and faculty is based upon mutual respect and a common interest in the quest for musical knowledge and artistry. There are nearly 100 full-time faculty members in music, which provides a student to faculty ratio of approximately 20 to 1. The wealth of experience the faculties bring to the classroom, studio, concert hall, or research facility, is supported by their continuous commitment to excellence.


Buildings and Facilities • • • • • • • • •

Currently the school has the following buildings: Rocky Band Building Computer-Assisted Music Lab Music Project Lab Experimental Music Lab Performing Arts Lab Music Library Building School of Piano Building Jeff Memorial Hall

IT Infrastructure There are currently 2 IT staffs in the school. The existing network is purely DOS-based with Netware 3.1 as the network OS. No special feature has been implemented. The registration office currently runs a 386PC with dBase3+ as the school registration system. The staffs generally use the old Geoworks software for designing flyers and other publications. Due to the availability of funding last year, the school managed to install a 100BaseFX network across the campus. In terms of bandwidth, the school has more than enough bandwidth for use.

Levels of Skills in IT According to the IT Supervisor of the school, their students are very positive towards the use of IT in their learning process. Some students already uses computer to do the music composition. Others have uses notebooks to take notes during lectures.

Appendix A 137

Admin Structure The school has a Board of Directors for supervising the overall operations. The school president reports directly to the board. There are 2 vice presidents sharing the workload of administering the divisions of the school, as demonstrated in Figure 1-6.

Figure 1-6 Organizational chart of the school and its Board of Directors.


Risk Management In the past the school was once in difficulties due to a problem in funding. There had been a situation where the salaries of the teachers were not distributed on time, leading to a strike and a delay in the class progresses. Although this situation is not likely to happen again, the management insists on carry out a risk management process. It has been suggested that Microsoft’s Risk Management process is the ideal methodology to use.

Future Vision The school plans to open a branch in Austin, Texas. The management is willing to pay for a high speed 128K dedicated connections between the main campus and the new location. This new location will mainly be used to teach Music History and Music Appreciation.

The school will also open up a branch in London. This new location will use dial up modem to connect to the main office. This new location will mainly be a marketing office to promote the school’s “Student Exchange” program.

Appendix A 139

Case 1: Questions: 1. What type of business model does the school have? A. Hierarchical B. MFlat C. MTree D. No model Ans: A Explanation: This is a pyramidal command structure cascading from the top down to the base.

2. As part of your initial work of analyzing the business model, you are looking at how many servers are in the sites of the school as well as what OS and applications are running. What kind of structure are you trying to analyze? A. Organizational B. MDemographical C. MGeographical D. IT Ans: D Explanation: You are inspecting the IT infrastructure of the school.


3. The staffs in the school frequently have to rotate their duties and work in different divisions. You need to build the AD structure so that the directory can reflect the organization structure of the school and at the same time making administration as easy as possible. Which of the following will you prefer? A. Deploy OUs for the different divisions B. MDeploy multi domains for the different divisions C. MDeploy Win2K for the different divisions D. Deploy Multiple Master domain for the different divisions Ans: A Explanation: It is much easier for you to move user objects between OUs then to move user objects between domains. In this case OU is the ideal structure.

4. Which of the following activities are parts of the risk management process’s risk identification phrase (Choose all that apply)? A. Identifying the source of risk B. MDetermining the risk condition C. MIdentifying the possible consequence D. Analyzing risk impact Ans: A B C Explanation: Analyzing risk impact is part of the Risk Analysis phrase.

Appendix A 141

5. Which of the following activities are parts of the risk management process’s risk analysis phrase (Choose all that apply)? A. Identifying the source of risk B. MDetermining the risk condition C. MAnalyzing risk exposure D. Analyzing risk probability E. Analyzing risk impact Ans: C D E Explanation: Choice A B and C are parts of the Risk Identification phrase.

6. You are studying the previous case of the school regarding the incident that the teachers went on strike. You tried to learn from the case to determine that, if, the same thing happen again, what the impact will be towards your project schedule. What type of analysis is this? A. Risk Probability B. MRisk Impact C. MRisk Exposure D. Risk Projection E. Risk Management Ans: B Explanation: This is an evaluation of a consequence should it become real.


7. You are evaluating the risks involved in upgrading the school network to Win2K. You come up with a risk probability of 0%. What dos this mean? A. There is no risk at all B. MThere is a high risk C. MThere is already an actual problem D. Not enough information to determine the risk level Ans: A Explanation: When you have 100%, that means this is not even a risk. The problem is already here.

8. You are to carry out a Risk Action Planning for the school. What are valid key areas to address (Choose all that apply)? A. Research B. MAcceptance C. MManagement D. Avoidance Ans: A B C D Explanation: These are the 4 areas of Risk Action Planning that must be addressed according to MS.

Appendix A 143

9. You are to carry out a Risk Analysis for the school. How do you determine the school’s risk exposure? A. Risk probability X Risk impact B. MRisk probability X Risk ratio C. MRisk Ratio X Risk impact D. Risk Consequence X Risk impact Ans: A Explanation: Risk exposure basically factors risk impact and risk probability together. Map to the Objective Identifying Tolerance for Risk.

10. You need to determine the baseline of upgrading the school network. Which of the following are valid metrics to use? A. Comparison with other schools B. MUS Accounting standard on the assets cost C. MTrue cost of assets D. Industry appointed index E. Industry average Ans: E Explanation: The cost of the school’s assets should be compared to the industry average in order to compare the TCO figures. Map to the objective Identifying Cost of operations.


11. You need to determine the unbudgeted cost used for calculating the TCO. Which one is a valid unbudgeted cost? A. Hardware B. MSoftware C. MDowntime D. Training E. Management Ans: C Explanation: Downtime is an unbudgeted cost of lost productivity and lost revenue. Map to the objective Identifying Cost of operations.

12. You need to determine the budgeted cost used for calculating the TCO. What are the valid budgeted costs? A. Hardware B. MUser C. MDowntime D. Management Ans: A D Explanation: Management cost includes management compensation and salary. Map to the objective Identifying Cost of operations.

Appendix A 145

13. Regarding the school’s expansion plan into Texas, what additional element will you include in calculating the TCO related to the IT project of the school? A. Cost of dedicated line B. MCost of routers C. MCost of financing D. Additional cost of management time to supervise the new location Ans: A B Explanation: Choices “Cost of financing” and “Additional cost of management time to supervise the new location” have nothing to do with the IT project. They are more suitable to be associated with the overall operating cost of the school. Map to the objective Identifying Cost of operations.

14. You are worrying that the help desk support cost can be sky high once everyone in the school is equipped with the latest software and application. Which of the following can be used to reduce the support cost (Choose all that apply)? A. Use a single OS throughout the school B. MUse a single application throughout the school C. MRestrict users from changing their desktops D. Disallow resource sharing in the network Ans: A C Explanation: Choice B does not make sense, as it is not possible for the entire school to run only a single application. Choice D does not make sense as the primary function of a network is resource sharing. Map to the objective Identifying Cost of operations.


15. You need to plan for reducing the cost of software distribution in the school. At the same time you want to give the users flexibility to de-install some software. How should you do this? A. Push the applications B. MShare the applications C. MPublish the applications D. Mirror the applications Ans: C Explanation: A published application can be removed by using Control Panel -> Add/Remove Programs. Map to the objective Identifying Cost of operations.

16. The management of the school confirms that the London office will be operational in 3 months time. They will ship a fully configured W2K server to that location, since there will be no IT staff in there at all. What is the legal concern in this case? A. Sales tax B. MTransport tariff C. MEncryption D. CPU Speed Ans: C Explanation: 128 bit strong encryption can only be used in US and Canada. You must ensure that the W2K server being shipped is configured with the default standard encryption. Map to the objective Identifying Relevant Laws and Regulations.

Appendix A 147

17. According to your knowledge, which of the following encryption standards can be used in the London office (Choose all that apply)? A. MPPE Standard B. MMPPE Strong C. MIPSec Des D. IPSec 3Des Ans: A C Explanation: Both MPPE standard and IPSec Des 56bit can be exported. Map to the objective Identifying Relevant Laws and Regulations.

18. According to your knowledge, which of the following encryption standards can be used in the school’s US main campus (Choose all that apply)? A. MPPE Standard B. MMPPE Strong C. MIPSec Des D. IPSec 3Des Ans: A B C D Explanation: Both MPPE standard and IPSec Des 56bit can be exported. This does not mean that they cannot be used in the US. Map to the objective Identifying Relevant Laws and Regulations.


19. You are asked to give advice on which browser to use in the London office. The school’s web site will be redesigned to include new features like DHTML, Javascript and ASP. You want to give them maximum performance, and at the same time to be sure that the browser they use will not consume too much of the computer resources, as the London office will only use Celeron 600mhz PCs together with 128M RAM as clients. Which browser will you suggest? A. IE 2.01 B. MIE 3.0 C. MIE 5 128bit D. IE 5 Standard Ans: D Explanation: To take full advantage of the new web site you need IE 5. However, IE 5 128bit does not mean 128 bit performance… it means 128bit encryption, which should not be used outside of the US and Canada! Map to the objective Identifying Relevant Laws and Regulations.

Appendix A 149

20. According to your knowledge, which of the following encryption standards can be used for maximum protection on the connection between the school’s US main campus and it’s potential Texas location (Choose all that apply)? A. MPPE Standard B. MMPPE Strong C. MIPSec Des D. IPSec 3Des Ans: B D Explanation: MPPE Strong security uses 128 bit encryption. IPSec 3Des deploys 2 sets of 56 bit keys and is considered to be a very strong encryption standard as well.

Notes:


Chapter 2: Post Assessment Answers Case 4: Joe’s Canoe Company You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by Joe’s Canoe Company to design the Active Directory for the entire company.

Background Joe’s Canoe Company is a company that produces canoes of different kinds. Most of its customers are in the Vancouver area. Since 1950 Joe has been designing and manufacturing Cedar Canvas Canoes. Through the years, as materials advanced, Joe began building Fiberglass, Kevlar and high tech Carbon Fiber Canoes. Joe's Master builders have 5 decades of canoe design and building experience, in all types, from the classic Cedar strip to the family cottage canoe & the most advanced Carbon Fiber high performance canoes. According to the CEO, staffs in the company are on average at the age of 50 and above. Somehow they are a bit resistant to new technologies. Currently they are running on a Win NT network. Per your interview with the marketing manager, there is an increase in the demand for canoes in California. A local canoe manufacturer has approached the company from San Jose about a possible merger between the two companies. Your understanding on this is that, in the next one or two years, these two companies will still market their canoes separately under different brand names. However, the management will definitely want to see some sort of synergy in between. Last month a new representative office was opened in Kansas City, as the company can receive tax deduction from the city government.

Appendix A 151

Structure So far there is only one office location for Joe’s Canoe. There are 3 different departments: Marketing, Accounting, and Production. Each department has its own management team. The team leaders need to report to the CEO directly. Currently there are about 500 staffs. Of this amount, 60% of them will need to use computers in their daily operations.

Dealer Locations The CEO’s successor, James, has its roots as an IT consultant. He knows the importance of IT deployment. He likes to have all its dealers placing orders online to save processing costs. He recently built a VPN among the company and all its dealers. As of today, there are 6 dealers selling canoes for the company:

• • • • • •

Algonquin Bound - Madawaska Frontenac Outfitters - Sydenham Gordon Bay Marine - Mactier Muskoka Store - Gravenhurst Adventure Guide - Kitchener-Waterloo Boundary Bay Watersports - Whiterock, BC

James is a MCP on NT 4.0. He likes to use Microsoft products. He wants you to implement a network design using Win2000 and active directory. There was a NT4 network implemented for the company. It consists of two domains containing accounts and resources. In addition, there are some other resource only domains that trust these two domains. James is not happy with the fact that trust relationships are so complicated to setup. He also dislikes the fact that scalability is limited with SAM.


Case 4: Questions 1. What domain model does the current NT4 network use? A. Single B. Single Master C. Multi master D. Complete Trust Ans: C Explanation: In a multi-master model, the account domains have to trust each other. In addition, the resource domains have one way trust on the account domains. Map to the objective Analyzing Existing Windows NT Environment.

2. What service does NT4 deploy for communicating on a TCP/IP network using NETBIOS names? A. DNS B. DHCP C. MRAS D. WINS Ans: D Explanation: With WINS Netbios names are mapped to IP addresses. Without WINS you will need to use broadcast for Netbios communication. Map to the objective Analyzing Existing Windows NT Environment.

Appendix A 153

3. What does NT4 deploy for communicating on a TCP/IP network using NETBIOS names when WINS is down? A. DNS B. DHCP C. MHOSTS file D. LMHOSTS file Ans: D Explanation: With WINS Netbios names are mapped to IP addresses. Without WINS you can use a simple test file called LMHOSTS and enter all the entries manually into the file. This file needs to be placed on every client’s PC. Map to the objective Analyzing Existing Windows NT Environment.

4. What is the tool used to configure the password policy across the NT4 domains? A. User Manager B. User Manager for domains C. MServer Manager D. Trust Manager Ans: B Explanation: On the NT4 domain controllers you configure the password policy via User Manager for Domains. Map to the objective Analyzing Existing Windows NT Environment.


5. In the NT 4 network couple special applications have been installed on the servers that require registry modifications. When you perform the upgrade what should you first need to consider? A. Remove those applications B. Manually modify the registry C. MIncrease the memory D. Upgrade the CPU Ans: A Explanation: Applications that work for NT4 may not work for W2K. For safety reason you may want to remove the applications and check to see if they have updated versions for W2K. Map to the objective Analyzing Existing Windows NT Environment.

6. Before you upgrade the servers to W2K, what action will you need to take to guarantee a smooth upgrade process? A. Check the HCL B. Inspect the power supply C. MDefrag the hard drive D. Format the hard drive Ans: A Explanation: You want to check the Hardware Compatibility List to make sure that the hardware is supported in W2K. Or you may want to obtain all the necessary drivers from the vendors. Map to the objective Analyzing Existing Windows NT Environment.

Appendix A 155

7. What tool can you use to check and find out if the old applications can be run in W2K? A. User Manger for Domain B. W2K HCL Checker C. MW2K KCC D. W2K Readiness Analyzer Ans: D Explanation: You may start this application by using the winnt32.exe together with the appropriate option. Map to the objective Analyzing existing applications.

8. You plan to use the Windows2000 Readiness Analyzer to check for application compatibility problems. How do you start this utility? A. Use the W2K resource kit B. Run Winnt.exe with /Check C. MRun Winnt32.exe with /checkup D. Run winnt32.exe with /checkupgradeonly Ans: D Explanation: You use this utility to check and find out if the old applications can be run in W2K. Map to the objective Analyzing existing applications.


9. You found that there is a very important server side application that handles Joe’s Canoe CRM functions. This application does not run in W2K. In fact, the vendor was out of business. What can you do (Choose all that apply)? A. Look for a new application B. Keep a NT4 server to run this application C. MTransfer the data to the new application D. Apply service packs to the application Ans: A C Explanation: Since this software will not have any support any longer, you better off replace this with something new. Map to the objective Analyzing existing applications.

10. You found some old NT3.50 server in Joe’s Canoe ‘s headquarter. These servers have 266mhz processors and plenty of RAM. You want to upgrade them to W2K. What steps are needed for a smooth upgrade (Choose all that apply)? A. Upgrade them to NT 3.51 or 4.0 first B. Check the HCL C. MRun memory parity checks D. Scan the hard disk for bad sectors Ans: A B Explanation: Only NT3.51 or 4.0 can be upgraded to W2K directly. Map to the objective Analyzing Existing and Planned Upgrades and Rollouts.

Appendix A 157

11. You found an important application that needs to be upgraded. According to the documentation the same upgrade is compatible with NT4 and W2K. When should you upgrade this application? A. Before upgrading the server to W2K B. After upgrading the server to W2K C. MNo need to upgrade at all D. During the server upgrade Ans: A Explanation: Since the same upgrade can work for NT4 and W2K, of course you should upgrade the application first before upgrading the OS. This could prevent some miscellaneous upgrade problems caused by software incompatibility. Map to the objective Analyzing Existing and Planned Upgrades and Rollouts.

12. You want to have a fallback plan in case the upgrade fails. Which step will you take as part of your fallback plan? A. Take a BDC offline B. Run scandisk before the upgrade C. MCheck HCL before upgrade D. Check all the network cables E. Run Winnt32 with /checkupgradeonly Ans: A Explanation: You should force a replication across all the NT4 domain controllers, and then take the BDC offline. In case the PDC fails the upgrade you can promote this BDC to a PDC and restore the NT4 network. Map to the objective Analyzing Existing and Planned Upgrades and Rollouts.


13. You want to find out the capacity of the WAN links between the company and the new location in Kansas City. What is the measure you need to find out? A. Bandwidth B. Speed C. MRate D. Throughput Ans: D Explanation: Throughput = network capacity – overhead. Map to the objective Assessing Available Connectivity.

14. What tool can you deploy to find out the latency between the head office and the new location in Kansas City? A. Ping B. NetDiag C. MNetStat D. Tracert Ans: A Explanation: Latency = how long it takes for a packet to travel from one point to another. Map to the objective Assessing Available Connectivity.

Appendix A 159

15. What tool in W2K combines the functionality of Ping and Tracert? A. Pingrt B. Routeping C. MNBTStat D. Netstat E. Pingpath Ans: E Explanation: With Pingpath you can check latency as well as route path information. Map to the objective Assessing Available Connectivity.

Notes:


Chapter 3: Post Assessment Answers Case 8: ProX Auditing Group You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by ProX Auditing Group to design the Active Directory for the entire company.

Background ProX Auditing Group (Figure 3-3) uses a logical sequence of steps to perform audits in the most efficient, effective, and timely manner possible. Its audits comply with the highest professional standards and lend credibility to client company's financial statements. Its experts can assist the clients in improving internal controls and operating efficiency, as well as recommend enhancements to make Client Company more profitable.

ProX offers the following audit services: ProX Austin

• • • •

General financial audits Review of agreed-upon procedures Analysis of internal and operating controls Review of computer systems for proper operation and control procedures

ProX Kansas

• • • • •

Due diligence audits for mergers and acquisitions Federal single audit compliance Compliance with GAO "Yellow Book" requirements Compliance with grant requirements Compliance with loan covenants/regulatory requirements

Appendix A 161

Client Sectors: 1. Agriculture 2. Auto Dealers and Auto Repair 3. Beverages 4. Construction and Logging 5. Financial Institutions and Trusts 6. Governmental 7. Health Care Professionals 8. Lodging and Food Service 9. Insurance Services 10. Manufacturing 11. Non-Profit Organizations 12. Professional Service Firms 13. Real Estate 14. Retail and Wholesale Businesses 15. Timber 16. Trucks and Transportation


Organization Structure

Figure 3.3 Organizational of ProX Auditing Group

The SF office is the head office. All the offices share the same set of rules and standards. The three ProX offices are interconnected with high speed T1 lines. Currently they are running on Netware 4.X. However, for file sharing, some NT servers are deployed as well. These NT servers are working together with the Netware 4.X servers on the same network. Clients are mainly Win98 based.

Appendix A 163

Case 8: Questions 1. The CEO is very nervous about the upgrade. He wants to be sure that the upgrade will be conducted smoothly. He also wants you to determine if there is any problem with the upgrade. What will you do to address this issue? A. Run a test lab network B. Run simulation software C. Check the HCL D. Run Winnt32 with /checkupgradeonly Ans: A Explanation: This test lab network should closely resemble the real network. Map to the objective to the objective Analyzing the Impact on the Existing Technical Environment.

2. How many forests will you deploy for ProX? A. 1 B. 2 C. 3 D. 4 Ans: A Explanation: Single domain is always recommended, especially when there is no need for different domain wide policy. Single domain -> single tree -> single forest. Map to the objective Understanding Active Directory Architecture.


3. How many trees will you deploy for ProX? A. 1 B. 2 C. 3 D. 4 Ans: A Explanation: Single domain is always recommended, especially when there is no need for different domain wide policy. Single domain -> single tree -> single forest. Map to the objective Understanding Active Directory Architecture.

4. How many schema masters will you deploy for ProX? A. 1 B. 2 C. 3 D. 4 Ans: A Explanation: We can only have one schema master per forest. Map to the objective Understanding Active Directory Architecture.

Appendix A 165

5. How many infrastructure masters will you deploy for ProX? A. 1 B. 2 C. 3 D. 4 Ans: A Explanation: We can only have one infrastructure master per domain. Map to the objective Understanding Active Directory Architecture.

6. What option do you have when creating sites for ProX? A. You can have multi – domains for the same sites B. You can have multidomains for multi – sites C. You can have one domain spread over multi - sites D. You can have one domain for each site in each office Ans: C Explanation: Since we will only use one domain for ProX, this will be the only valid option. All are choices are technically possible if multidomains can be deployed. Map to the objective Understanding Active Directory Architecture.


7. What protocol does the servers of ProX’s current network use? A. NWLink B. TCP/IP C. NetBEUI D. Appletalk Ans: A Explanation: It has to be NWLink because this is the only protocol that allows NT4 to talk to the Netware servers. Map to the objective Analyzing Existing Windows NT Environment.

8. What will be the valid design decisions regarding the AD name space for ProX, if the 3 offices will be of totally different domains (Choose all that apply)? A. Uses Sanfrancisco.prox.com for the head office B. Uses Austin.prox.com for Austin C. Uses Kansas.prox.com for Kansas D. Uses www.prox.com for all the offices Ans: A B C Explanation: This is only recommended when multi-domain model is to be used. Map to the objective Understanding Naming Conventions.

Appendix A 167

9. After the upgrade, you want to configure and analyze the security of the new network. What software interface can you use to do this? A. MMC B. SecureMan C. Admintools D. Netstat E. NBStat Ans: A Explanation: The corresponding snap-in must be used together with MMC to perform particular functions. Map to the objective to the objective Analyzing the Impact on the Existing Technical Environment.

10. After the upgrade, you want to configure and analyze the security of the new network. You also want to deploy security template to configure the settings for each system. What software can you use to do this? A. Security Configuration and Analysis snap in B. Security Configuration snap in C. Security Analysis snap in D. Security Template snap in E. None of the above Ans: A Explanation: You have to use this snap-in together with MMC. Map to the objective to the objective Analyzing the Impact on the Existing Technical Environment.


11. All the NT computers have been upgraded to W2K. You modified some of their local GPOs, and then found out that some of the modifications are not effective. What is the likely cause? A. Some local GPOs are affected by policies that are not local B. Some local GPOs are not compiled C. Some local GPOs are not saved with the new settings D. Some local GPOs are not associated with the systems properly Ans: A Explanation: Non-local policies may come from nonlocal GPOs in AD. These include linked computers, sites, domains and OUs. Map to the objective to the objective Analyzing the Impact on the Planned Technical Environment.

12. What tool can you use to modify group policy per the request of the CEO (Choose all that apply)? A. MMC B. Group Policy snap in C. Template snap in D. AD Computers and Services snap in E. AD Domain and Trust snap in Ans: A B Explanation: To configure group policy, you need to load the Group Policy snap in from within MMC. Map to the objective to the objective Analyzing the Technical Support Structure.

Appendix A 169

13. You want to be able to remotely access the ProX server so that traveling cost can be avoided. What components will you need to make this work (Choose all that apply)? A. Terminal Service running on a W2K Server B. Terminal Service and Terminal Service Client running on a W2K C. Server D. Terminal Service running on your computer E. Terminal Service Client running on your computer Ans: A D Explanation: This combination allows for terminal emulation in W2K. Both the server and the client must be configured properly for this to work. Map to the objective to the objective Analyzing the Technical Support Structure.

14. In the new ProX network, you want to analyze packets that are destined for all the computers on the network segments. You do not want to involve a high cost in doing this. What tool can you use? A. Network Monitor that comes with W2K B. Packet Sniffer that comes with W2K C. Proxy Server 2.0 D. Full version of SMS Ans: D Explanation: To be able to conduct network analysis from one computer, you must use the full version of System Management Server. The Network Monitor that comes with W2K is a very limited version. Map to the objective Analyzing Existing Network and System Management.


15. In the new ProX network, you want to analyze packets by putting your NICs into “promiscuous mode”. You do not want to involve a high cost in doing this. What tool can you use? A. Network Monitor that comes with W2K B. Packet Sniffer that comes with W2K C. Proxy Server 2.0 D. Full version of SMS Ans: D Explanation: To be able to conduct network analysis from one computer, you must use the full version of System Management Server. The Network Monitor that comes with W2K is a very limited version. Map to the objective Analyzing Existing Network and System Management.

Appendix A 171

Notes:


Chapter 4: Post Assessment Answers Case 15: MyTeapots You are a Network Consultant with specialized skills in designing Win2000 directory services. You are recently requested by MyTeapots to design the Active Directory for the entire company.

Background Since 1970 MyTeapots has been offering products of slate, natural rock, and exquisite crystal water fountains. As a mail order house located in Texas, MyTeapots has its warehouse located in San Jose to serve the customers in the Bay Area. Another office will be opened in New York shortly. Products The major product lines available: • • • • •

Yixing Teapots Chinese Jade Teapots Taiwanese Teapots Japanese Tetsubin Tea Accessories

In addition, MyTeapots offers fresh handpicked, full leaf teas. The line of unblended and blended full-leaf varieties include: • • • • • • • •

China Green Teas Japan Green Teas Indian Green Teas Vietnamese Green Teas White Teas Jasmine Teas Oolong Teas Black Teas

Appendix A 173

Departmental Structure There are 5 departments in the company. The TEA department handles the sales of Tealeaf. The TEAPOT department handles the sales of teapots. The ACCESSORIES department handles the sales of Tea accessories. The WAREHOUSE department handles the inventory. The ADMIN department handles the in house administration. The management of the company has decided to upgrade to W2K and deploys a single domain model for the AD. There will be 2 sites in the AD, one in Texas and the other one in San Jose. The 2 sites will be connected with a 64KBPS links.


Case 15: Questions 1. You need to configure the RUN command settings for all users in MyTeapots’s network. What do you use for this type of configuration? A. Deploy Computer Configuration settings B. Deploy Network Configuration settings C. Deploy Group Configuration settings D. Modify the logon script Ans: A Explanation: Computer Configuration settings are applied when the OS starts. You can also use it to activate the specific Kerberos policy. Map to the objective Understanding Computer Policies.

2. You need to configure the Start menu and taskbar settings for all users in MyTeapots’s network. What do you use for this type of configuration? A. Deploy Administrative template B. Deploy Network Configuration settings C. Deploy Metadata template D. Modify the logon script Ans: A Explanation: Administrative template can be used to configure registry based settings. Map to the objective Planning Policy Management for Users.

Appendix A 175

3. You need to configure an application for all users in MyTeapots’s network so that the application will be available next time the users log on. What do you use for this type of configuration? A. Assign the application B. Publish the application C. Pinpoint the application D. Modify the logon script Ans: A Explanation: This will make the applications readily available for the users. Map to the objective Planning Policy Management for Users.

4. What problem will you foresee in MyTeapots’s site design? A. Connection between the sites may be too slow B. Connection between the sites may be too fast C. Connection between the sites is ok D. The link is too expensive Ans: A Explanation: 128KBPS of available bandwidth commended by MS. Map to the objective Defining Site Boundaries.


5. The president of MyTeapots has a new desktop computer in his office. He wants to associate his computer with multiple sites. Is this possible? A. Yes B. Yes, if he has multiple NICs C. No D. Ans: C Explanation: A computer can belong to one site only. However, the multiple NICs can interact with multiple sites. Map to the objective Defining Site Boundaries.

6. You have configured couple site links for MyTeapots’s head office in Texas. One link has a cost of 50, while another one has a cost of 100. Which link will be preferred for making connections? A. The link with a cost of 50 B. The link with a cost of 100 C. Either one D. Decided randomly E. Deployed on a round robin fashion Ans: A Explanation: The one with the lowest cost always takes precedence. Map to the objective Designing a Replication Strategy.

Appendix A 177

7. What protocol will you deploy for replication across site links in MyTeapots’s AD, given the fact that the WAN connection is not too reliable? A. IP B. SMTP C. SNMP D. Both IP and SMTP E. Both IP and SNMP Ans: B Explanation: IP is recommended only if the WAN link is reliable. Otherwise, use SMTP. Map to the objective Designing a Replication Strategy.

8. You need to install an application into MyTeapots’s AD. This application will need to add object classes and attributes into the directory schema. What role do you need to have in order to carry out the installation? A. You must be a member of the Schema Admin group B. You must be a member of the Object Admin group C. You must be a member of the Schema Manager group D. You must be a member of the Schema Creator group Ans: A Explanation: Also, the application must be AD aware. Map to the objective Defining a Schema Modification Policy.


9. You want to modify MyTeapot’s AD schema programmatically. What do you need for this purpose? A. ADSI B. ADSL C. ADO D. XDO Ans: A Explanation: ADSI stands for Active Directory Services Interface. Map to the objective Defining a Schema Modification Policy.

10 You will be running only W2K servers on MyTeapots’s AD. Which of the following is recommended regarding the implementation of the AD? A. You should have W2K running in Active mode B. You should have W2K running in Native mode C. You should have W2K running in Mixed mode D. You should have W2K running in Combined mode Ans: B Explanation: If you do not have any NT4 servers in the network, by all means switch to native mode to maximize the benefits that can be produced by AD. Map to the objective Designing an Active Directory Implementation Plan.

Notes:

Glossary 181

Glossary A AC-3 The coding system used by Dolby Digital is a standard for high quality digital audio that is used for the sound portion of video stored in digital format. Accelerated Graphics Port (AGP) A type of expansion slot that is used solely for video cards. Designed by Intel and supported by Windows 2000, AGP is a dedicated bus that provides fast, high-quality video and graphics performance. Access control entry (ACE) An entry in an access control list (ACL) containing the security ID (SID) for a user or group and an access mask that specifies which operations by the user or group are allowed, denied, or audited. Access control list (ACL) ACL is a list of security protections that apply to an entire object, a set of the object’s properties, or an individual property of an object. There are two types of access control lists: discretionary and system. Access mask A 32-bit value that specifies the rights that are allowed or denied in an access control entry (ACE) of an access control list (ACL). An access mask is also used to request access rights when an object is opened. Access token A data structure containing security information that identifies a user to the security subsystem on a computer running Windows 2000 or Windows NT. An access token contains a user’s security ID, the security IDs for groups that the user belongs to, and a list of the user’s privileges on the local computer.

182 Glossary: 70-219 Certification

Accessibility The quality of a system incorporating hardware or software to engage a flexible, customizable user interface, alternative input and output methods, and greater exposure of screen elements to make the computer usable by people with cognitive, hearing, physical, or visual disabilities. Accessibility status indicators Icons on the system status area of the taskbar of the Windows desktop that let the user know which accessibility features are activated. Accessibility Wizard An interactive tool that makes it easier to set up commonly used accessibility features by specifying options by type of disability, rather than by numeric value changes. Active Accessibility A core component in the Windows operating system that is built on COM and defines how applications can exchange information about user interface elements. Active Directory The directory service included with Windows 2000 Server. It stores information about objects on a network and makes this information available to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides network administrators with an intuitive hierarchical view of the network and a single point of administration for all network objects. ActiveX A set of technologies that enable software components to interact with one another in a networked environment, regardless of the language in which the components were created. Administrator Most often used for term System Administrator.

Glossary 183

Advanced Configuration and Power Interface (ACPI) An open industry specification that defines power management on a wide range of mobile, desktop, servers and peripherals. ACPI is the foundation for the OnNow industry initiative that allows system manufacturers to deliver PCs that will start at the touch of a keyboard. The ACPI design is essential to take full advantage of power management and Plug and Play in Windows 2000. Check the manufacturer’s documentation to verify that your computer is ACPI-compliant. Advanced Power Management (APM) A software interface (designed by Microsoft and Intel) between hardwarespecific power management software (such as that located in a system BIOS) and an operating system power management driver. Advertisement In Windows 2000, the Software Installation snap-in generates an application advertisement script and stores this script in the appropriate locations in Active Directory and the Group Policy object. Allocation unit In file systems an allocation unit is the smallest amount of disk space that can be allocated to hold a file. All file systems used by Windows 2000 organize hard disks based on allocation units. The smaller the allocation unit size, the more efficiently a disk stores information. If no allocation unit size is specified during formatting, Windows 2000 chooses default sizes based on the size of the volume and the file system used. These defaults are selected to reduce the amount of space lost and the amount of fragmentation on the volume. Also called cluster. American Standard Code for Information Interchange (ASCII) A standard single byte character-encoding scheme used for text-based data. ASCII uses designated 7-bit or 8-bit number combinations to represent either 128 or 256 possible characters. Standard ASCII uses 7 bits to represent all uppercase and lowercase letters, the numbers 0 through 9, punctuation marks, and special control characters used in U.S. English. Most current x86 systems support the use of extended (or “high”) ASCII. Extended ASCII allows the eighth bit of each character to identify an additional 128 special symbol characters, foreign-language letters, and graphic symbols.


Answer file A text file that you can use to provide automated input for unattended installation of Windows 2000. This input includes parameters to answer the questions required by Setup for specific installations. In some cases, you can use this text file to provide input to wizards, such as the Active Directory Installation wizard, which is used to add Active Directory to Windows 2000 Server through Setup. The default answer file for Setup is known as Unattend.txt. Application media pool A data repository that determines which media can be accessed by which applications and that sets the policies for that media. There can be any number of application media pools in a Removable Storage system. Applications create application media pools. Application programming interface (API) A set of routines that an application uses to request and carry out lower-level services performed by a computer’s operating system. These routines usually carry out maintenance tasks such as managing files and displaying information. Assistive technology System extensions, programs, devices, and utilities added to a computer to make it more accessible to users with disabilities. Asynchronous communication A form of data transmission in which information is sent and received at irregular intervals, one character at a time. Because data is received at irregular intervals, the receiving modem must be signaled to inform it when the data bits of a character begin and end. This is done by means of start and stop bits. Asynchronous Transfer Mode (ATM) A high-speed connection-oriented protocol used to transport many different types of network traffic.

Glossary 185

Attribute (object) In Active Directory, an attribute describes characteristics of an object and the type of information an object can hold. For each object class, the schema defines what attributes an instance of the class must have and what additional attributes it might have. Auditing To track the activities of users by recording selected types of events in the security log of a server or a workstation. Authentication A basic security function of cryptography. Authentication verifies the identity of the entities that communicate over the network. For example, the process that verifies the identity of a user who logs on to a computer either locally, at a computer’s keyboard, or remotely, through a network connection. Authentication Header (AH) A header that provides integrity, authentication, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). Authoritative In the Domain Name System (DNS), the use of zones by DNS servers to register and resolve a DNS domain name. When a DNS server is configured to host a zone, it is authoritative for names within that zone. DNS servers are granted authority based on information stored in the zone. Automated installation An unattended setup using one or more of several methods such as Remote Installation Services, bootable CD, and Sysprep. Automatic caching A method of automatically storing network files on a user’s hard disk drive whenever a file is open so the files can be accessed when the user is not connected to the network.


Automatic Private IP Addressing (APIPA) A feature of Windows 2000 TCP/IP that automatically configures a unique IP address from the range 169.254.0.1 to 169.254.255.254 and a subnet mask of 255.255.0.0 when the TCP/IP protocol is configured for dynamic addressing and a Dynamic Host Configuration Protocol (DHCP) Server is not available. Available state A state in which media can be allocated for use by applications. Averaging counter A type of counter that measures a value over time and displays the average of the last two measurements over some other factor (for example, PhysicalDisk\Avg. Disk Bytes/Transfer).

Glossary 187

B Backup A duplicate copy of a program, a disk, or data, made either for archiving purposes or for safeguarding valuable files from loss should the active copy be damaged or destroyed. Some application programs automatically make backup copies of data files, maintaining both the current version and the preceding version. Backup operator A type of local or global group that contains the user rights needed to back up and restore files and folders. Members of the Backup Operators group can back up and restore files and folders regardless of ownership, access permissions, encryption, or auditing settings. Backup types A type that determines which data is backed up and how it is backed up. There are five backup types: copy, daily, differential, incremental, and normal. Bad block A disk sector that can no longer be used for data storage, usually due to media damage or imperfections. Bandwidth In analog communications, the difference between the highest and lowest frequencies in a given range. For example, a telephone line accommodates a bandwidth of 3,000 Hz, the difference between the lowest (300 Hz) and highest (3,300 Hz) frequencies it can carry. In digital communications, the rate at which information is sent expressed in bits per second (bps). Barcode A machine-readable label that identifies an object, such as physical media. Base file record The first file record in the master file table (MFT) for a file that has multiple file records. The base file record is the record to which the file’s file reference corresponds.


Baseline A range of measurements derived from performance monitoring that represents acceptable performance under typical operating conditions. Basic disk A physical disk that contains primary partitions or extended partitions with logical drives used by Windows 2000 and all versions of Windows NT. Basic disks can also contain volume, striped, mirror, or RAID-5 sets that were created using Windows NT 4.0 or earlier. As long as a compatible file format is used, MS-DOS, Windows 95, Windows 98, and all versions of Windows NT can access basic disks. Basic input/output system (BIOS) The set of essential software routines that tests hardware at startup, assists with starting the operating system, and supports the transfer of data among hardware devices. The BIOS is stored in read-only memory (ROM) so that it can be executed when the computer is turned on. Although critical to performance, the BIOS is usually invisible to computer users. Basic volume A volume on a basic disk. Basic volumes include primary partitions, logical drives within extended partitions, as well as volume, striped, mirror, or RAID-5 sets that were created using Windows NT 4.0 or earlier. Only basic disks can contain basic volumes. Basic and dynamic volumes cannot exist on the same disk. Batch program An ASCII (unformatted text) file containing one or more Windows NT or Windows 2000 commands. A batch program’s filename has a .BAT extension. When you type the filename at the command prompt, the commands are processed sequentially. “Script” is often used interchangeably with “batch program” in the Windows NT and Windows 2000 environment. Bidirectional communication Communication that occurs in two directions simultaneously. Bidirectional communication is useful in printing where jobs can be sent and printer status can be returned at the same time.

Glossary 189

Binding A process by which software components and layers are linked together. When a network component is installed, the binding relationships and dependencies for the components are established. Binding allows components to communicate with each other. Binding order The sequence in which software components, network protocols and network adapters are linked together. When a network component is installed, the binding relationships and dependencies for the components are established. BIOS parameter block (BPB) A series of fields containing data on disk size, geometry variables, and the physical parameters of the volume. The BPB is located within the boot sector. Boot sector A critical disk structure for starting your computer, located at sector 1 of each volume or floppy disk. It contains executable code and data that is required by the code, including information used by the file system to access the volume. The boot sector is created when you format the volume. Bootable CD An automated installation method that runs Setup from a CD-ROM. This method is useful for computers at remote sites with slow links and no local IT department. Bottleneck A condition, usually involving a hardware resource, which causes the entire system to perform poorly. BounceKeys A keyboard filter that assists users whose fingers bounce on the keys when pressing or releasing them. Bound trap In programming, a problem in which a set of conditions exceeds a permitted range of values that causes the microprocessor to stop what it is doing and handle the situation in a separate routine.


Browsing The process of creating and maintaining an up-to-date list of computers and resources on a network or part of a network by one or more designated computers running the Computer Browser service. Bulk encryption A process in which large amounts of data, such as files, e-mail messages, or online communications sessions, are encrypted for confidentiality. It is usually done with a symmetric key algorithm.

Glossary 191

C Cable modem A modem that provides broadband Internet access in the range of 10 to 30 Mbps. Cache For DNS and WINS, a local information store of resource records for recently resolved names of remote hosts. Typically, the cache is built dynamically as the computer queries and resolves names; it helps optimize the time required to resolve queried names. Cache file A file used by the Domain Name System (DNS) server to preload its names cache when service is started. Also known as the “root hints” file because resource records stored in this file are used by the DNS service to help locate root servers that provide referral to authoritative servers for remote names. For Windows DNS servers, the cache file is named Cache.dns and is located in the %SystemRoot%\System32\Dns folder. Caching The process of storing recently-used data values in a special pool in memory where they are temporarily held for quicker subsequent accesses. For DNS, the ability of DNS servers to store information about the domain namespace learned during the processing and resolution of name queries. In Windows 2000, caching is also available through the DNS client service (resolver) as a way for DNS clients to keep a cache of name information learned during recent queries. Callback number The number that a RAS server uses to call back a user. This number can be preset by the administrator or specified by the user at the time of each call, depending on how the administrator configures the user’s callback status. The callback number should be the number of the phone line to which the user’s modem is connected.


Caching resolver For Windows 2000, a client-side Domain Name System (DNS) name resolution service that performs caching of recently learned DNS domain name information. The caching resolver service provides system-wide access to DNS-aware programs for resource records obtained from DNS servers during the processing of name queries. Data placed in the cache is used for a limited period of time and aged according to the active Time To Live (TTL) value. You can set the TTL either individually for each resource record (RR) or default to the minimum TTL set in the start of authority RR for the zone. CardBus A 32-bit PC Card. Cartridge A unit of media of a certain type, such as 8mm tape, magnetic disk, optical disk, or CD-ROM, used by Removable Storage. Central Processing Unit (CPU) The part of a computer that has the ability to retrieve, interpret, and execute instructions and to transfer information to and from other resources over the computer’s main data-transfer path, the bus. By definition, the CPU is the chip that functions as the “brain” of a computer. Certificate A digital document that is commonly used for authentication and secure exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. Certificates are digitally signed by the issuing certification authority and can be issued for a user, a computer, or a service. The most widely accepted format for certificates is defined by the ITU-T X.509 version 3 international standard. Certificate Services The Windows 2000 service that issues certificates for a particular CA. It provides customizable services for issuing and managing certificates for the enterprise.

Glossary 193

Certification authority (CA) An entity responsible for establishing and vouching for the authenticity of public keys belonging to users (end entities) or other certification authorities. Activities of a certification authority can include binding public keys to distinguished names through signed certificates, managing certificate serial numbers, and certificate revocation. Certified-for-Windows Logo A specification that addresses the requirements of computer users with disabilities to ensure quality and consistency in assistive devices. Challenge Handshake Authentication Protocol (CHAP) A challenge-response authentication protocol for PPP connections documented in RFC 1994 that uses the industry-standard Message Digest 5 (MD5) one-way encryption scheme to hash the response to a challenge issued by the remote access server. Change journal A feature new to Windows 2000 that tracks changes to NTFS volumes, including additions, deletions, and modifications. The change journal exists on the volume as a sparse file. Changer The robotic element of an online library unit. Child object An object that is the immediate subordinate of another object in a hierarchy. A child object can have only one immediate superior, or parent, object. In Active Directory, the schema determines what classes of objects can be child objects of what other classes of objects. Depending on its class, a child object can also be the parent of other objects. CIM (COM Information Model) Object Manager (CIMOM) A system service that handles interaction between network management applications and providers of local or remote data or system events. Ciphertext Text that has been encrypted using an encryption key. Ciphertext is meaningless to anyone who does not have the decryption key.


Client Any computer or program connecting to, or requesting services of, another computer or program. Cluster A group of independent computer systems known as nodes or hosts, that work together as a single system to ensure that mission-critical applications and resources remain available to clients. A server cluster is the type of cluster that the Cluster service implements. Network Load Balancing provides a software solution for clustering multiple computers running Windows 2000 Server that provides networked services over the Internet and private intranets. In file systems a cluster is the smallest amount of disk space that can be allocated to hold a file. All file systems used by Windows 2000 organize hard disks based on clusters. The smaller the cluster size, the more efficiently a disk stores information. If no cluster size is specified during formatting, Windows 2000 chooses default sizes based on the size of the volume and the file system used. These defaults are selected to reduce the amount of space lost and the amount of fragmentation on the volume. Also called allocation units. Cluster remapping A recovery technique used when Windows 2000 returns a bad sector error to NTFS. NTFS dynamically replaces the cluster containing the bad sector and allocates a new cluster for the data. If the error occurs during a read, NTFS returns a read error to the calling program, and the data is lost. If the error occurs during a write, NTFS writes the data to the new cluster, and no data is lost. Code page A page that maps character codes to individual characters. Different code pages include different special characters, typically customized for a language or a group of languages. The system uses code pages to translate keyboard input into character values for non-Unicode based applications, and to translate character values into characters for non-Unicode based output displays.

Glossary 195

COM port Short for communications port, the logical address assigned by MS-DOS (versions 3.3 and higher) and Microsoft Windows (including Windows 95, Windows 98, Windows NT and Windows 2000) to each of the four serial ports on an IBM Personal Computer or a PC compatible. COM ports are also known as the actual serial ports on a PC where peripherals, such as printers, scanners, and external modems, are plugged in. Commit a transaction To record in the log file the fact that a transaction is complete and has been recorded in the cache. Common Internet File System (CIFS) A protocol and a corresponding API used by application programs to request higher level application services. CIFS was formerly known as SMB (Server Message Block). Compact Disc File System (CDFS) A 32-bit protected-mode file system that controls access to the contents of CD-ROM drives in Windows 2000. Compact disc-recordable (CD-R) A type of CD-ROM that can be written once on a CD recorder and read on a CD-ROM drive. Compact disc-rewritable (CD-RW) A type of CD-ROM that can be written many times on a CD recorder and read on a CD-ROM drive. Complementary metal-oxide semiconductor (CMOS) The battery-packed memory that stores information, such as disk types and amount of memory, used to start the computer. Computer Browser service A service that maintains an up-to-date list of computers and provides the list to applications when requested. The Computer Browser service provides the computer lists displayed in the My Network Places, Select Computer, and Select Domain dialog boxes and (for Windows 2000 Server only) in the Server Manager window.


Component Object Model (COM) An object-based programming model designed to promote software interoperability; it allows two or more applications or components to easily cooperate with one another, even if they were written by different vendors, at different times, in different programming languages, or if they are running on different computers running different operating systems. COM is the foundation technology upon which broader technologies can be built. Object linking and embedding (OLE) technology and ActiveX are both built on top of COM. Confidentiality A basic security function of cryptography. Confidentiality provides assurance that only authorized users can read or use confidential or secret information. Without confidentiality, anyone with network access can use readily available tools to eavesdrop on network traffic and intercept valuable proprietary information. For example, an Internet Protocol security service that ensures a message is disclosed only to intended recipients by encrypting the data. Console tree The tree view pane in a Microsoft Management Console (MMC) that displays the hierarchical namespace. By default it is the left pane of the console window, but it can be hidden. The items in the console tree (for example, Web pages, folders, and controls) and their hierarchical organization determine the management capabilities of a console. Container object An object that can logically contain other objects. For example, a folder is a container object. Copy backup A backup that copies all selected files but does not mark each file as having been backed up (that is, the archive bit is not set). A copy backup is useful between normal and incremental backups because copying does not affect these other backup operations.

Glossary 197

D Daily backup A backup that copies all selected files that have been modified the day the daily backup is performed. The backed-up files are not marked as having been backed up (that is, the archive bit is not set). Data confidentiality A service provided by cryptographic technology to assure that data can be read only by authorized users or programs. In a network, data confidentiality ensures that intruders cannot read data. Windows 2000 uses access control mechanisms and encryption, such as DES, 3DES and RSA encryption algorithms, to ensure data confidentiality. Data Encryption Standard (DES) An encryption algorithm that uses a 56-bit key, and maps a 64-bit input block to a 64-bit output block. The key appears to be a 64-bit key, but one bit in each of the 8 bytes is used for odd parity, resulting in 56 bits of usable key. Data integrity A service provided by cryptographic technology that ensures data has not been modified. In a network environment, data integrity allows the receiver of a message to verify that data has not been modified in transit. Windows 2000 uses access control mechanisms and cryptography, such as RSA publickey signing and shared symmetric key one way hash algorithms, to ensure data integrity. Data Link Control (DLC) A protocol used primarily for IBM mainframe computers and printer connectivity. Data packet A unit of information transmitted as a whole from one device to another on a network. Deallocate To return media to the available state after they have been used by an application. Decommissioned state A state that indicates that media have reached their allocation maximum.


Decryption The process of making encrypted data readable again by converting ciphertext to plaintext. Default gateway A configuration item for the TCP/IP protocol that is the IP address of a directly reachable IP router. Configuring a default gateway creates a default route in the IP routing table. Defragmentation The process of rewriting parts of a file to contiguous sectors on a hard disk to increase the speed of access and retrieval. When files are updated, the computer tends to save these updates on the largest continuous space on the hard disk, which is often on a different sector than the other parts of the file. When files are thus fragmented, the computer must search the hard disk each time the file is opened to find all of the parts of the file, which slows down response time. In Active Directory, defragmentation rearranges how the data is written in the directory database file to compact it. Desktop The on-screen work area in which windows, icons, menus, and dialog boxes appear. Destination directory The directory (or folder) to which files are copied or moved. Device driver A program that allows a specific device, such as a modem, network adapter, or printer, to communicate with Windows 2000. Although a device can be installed on a system, Windows 2000 cannot use the device until the appropriate driver has been installed and configured. If a device is listed in the Hardware Compatibility List (HCL), a driver is usually included with Windows 2000. Device drivers load (for all enabled devices) when a computer is started, and thereafter run invisibly. Device Manager An administrative tool that can be used to manage the devices on your computer. Use Device Manager to view and change device properties, update device drivers, configure device settings, and remove devices. Device Tree A hierarchical tree that contains the devices configured on the computer.

Glossary 199

Differential backup A backup that copies files created or changed since the last normal or incremental backup. It does not mark files as having been backed up (that is, the archive bit is not set). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. Digital audio tape (DAT) A magnetic medium for recording and storing digital audio data. Digital linear tape (DLT) A magnetic medium for backing up data. DLT can transfer data faster than many other types of tape media. Digital signature A means for originators of a message, file, or other digitally encoded information to bind their identity to the information. The process of digitally signing information entails transforming the information, as well as some secret information held by the sender, into a tag called a signature. Digital signatures are used in public key environments and they provide nonrepudiation and integrity services. Digital subscriber line (DSL) A special communication line that uses modulation technology to maximize the amount of data that can be sent over copper wires. DSL is used for connections from telephone switching stations to a subscriber rather than between switching stations. Direct hosting A feature that allows Windows 2000 computers using Microsoft file and print sharing to communicate over a communications protocol, such as TCP or IPX, bypassing the NetBIOS layer. Direct memory access (DMA) Memory access that does not involve the microprocessor. DMA is frequently used for data transfer directly between memory and a peripheral device, such as a disk drive.


Directory An information source that contains information about computer files or other objects. In a file system, a directory stores information about files. In a distributed computing environment (such as a Windows 2000 domain), the directory stores information about objects such as printers, applications, databases, and users. Directory service Both the directory information source and the service that make the information available and usable. A directory service enables the user to find an object given any one of its attributes. Disable To make a device nonfunctional. For example, if a device in a hardware profile is disabled, the device cannot be used while using that hardware profile. Disabling a device frees the resources that were allocated to the device. Discretionary access control list (DACL) The part of an object’s security descriptor that grants or denies specific users and groups permission to access the object. Only the owner of an object can change permissions granted or denied in a DACL; thus access to the object is at the owner’s discretion. Disk bottleneck A condition that occurs when disk performance is reduced to the extent that overall system performance is affected. Disk quota The maximum amount of disk space available to a user. Dismount To remove a removable tape or disc from a drive. Distinguished name A name that uniquely identifies an object by using the relative distinguished name for the object, plus the names of container objects and domains that contain the object. The distinguished name identifies the object as well as its location in a tree. Every object in Active Directory has a distinguished name. An example of a distinguished name is CN=MyName,CN=Users,DC=Reskit,DC=Com. This distinguished name identifies the “MyName” user object in the reskit.com domain.

Glossary 201

Distributed file system (Dfs) A Windows 2000 service consisting of software residing on network servers and clients that transparently links shared folders located on different file servers into a single namespace for improved load sharing and data availability. Distribution folder The folder created on the Windows 2000 distribution server to contain the Setup files. DNS server A computer that runs DNS server programs containing name-to-IP address mappings, IP address-to-name mappings, information about the domain tree structure, and other information. DNS servers also attempt to resolve client queries. DNS zone In a DNS database, a zone is a contiguous portion of the DNS tree that is administered as a single separate entity, by a DNS server. The zone contains resource records for all the names within the zone. Domain In Windows 2000 and Active Directory, a collection of computers defined by the administrator of a Windows 2000 Server network that share a common directory database. A domain has a unique name and provides access to the centralized user and group accounts. Each domain has its own security policies and security relationships with other domains which represents a single security boundary of a Windows 2000 computer network. An Active Directory is made up of one or more domains, each of which can span more than one physical location. For DNS, a domain is any tree or subtree within the DNS namespace. Although the names for DNS domains often correspond to Active Directory domains, DNS domains should not be confused with Windows 2000 and Active Directory networking domain. Domain controller For a Windows NT or Windows 2000 Server Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources.


Domain local group A Windows 2000 group only available in native mode domains that can contain members from anywhere in the forest, in trusted forests, or in a trusted pre-Windows 2000 domain. Domain local groups can only grant permissions to resources within the domain in which they exist. Typically, domain local groups are used to gather security principals from across the forest to control access to resources within the domain. Domain name In Windows 2000 and Active Directory, the name given by an administrator to a collection of networked computers that share a common directory. For DNS, domain names are specific node names in the DNS namespace tree. DNS domain names use singular node names, known as “labels,” joined together by periods (.) that indicate each node level in the namespace. Domain Name System (DNS) A hierarchical naming system used for locating domain names on the Internet and on private TCP/IP networks. DNS provides a service for mapping DNS domain names to IP addresses, and vice versa. This allows users, computers, and applications to query the DNS to specify remote systems by fully qualified domain names rather than by IP addresses. Domain tree In DNS, the inverted hierarchical tree structure that is used to index domain names. Domain trees are similar in purpose and concept to the directory trees used by computer filing systems for disk storage. Dual boot A computer configuration that can start two different operating systems. DVD decoder A hardware or software component that allows a digital video disc (DVD) drive to display movies on your computer screen.

Glossary 203

DVD disc A type of optical disc storage technology. A digital video disc (DVD) looks like a CD-ROM disc, but it can store greater amounts of data. DVD discs are often used to store full-length movies. DVD drive A DVD drive reads both CD-ROM and DVD discs; however, a DVD decoder is necessary to display DVD movies on your computer screen. Dvorak keyboard An alternative keyboard with a layout that makes the most frequently typed characters more accessible to people who have difficulty typing on the standard QWERTY layout. Dynamic disk A physical disk that is managed by Disk Management. Dynamic disks can contain only dynamic volumes (that is, volumes created by using Disk Management). Dynamic disks cannot contain partitions or logical drives, nor can MS-DOS access them. Dynamic Host Configuration Protocol (DHCP) A networking protocol that provides safe, reliable, and simple TCP/IP network configuration and offers dynamic configuration of Internet Protocol (IP) addresses for computers. DHCP ensures that address conflicts do not occur and helps conserve the use of IP addresses through centralized management of address allocation. Dynamic priority The priority value to which a thread’s base priority is adjusted to optimize scheduling. Dynamic volume A logical volume that is created using Disk Management. Dynamic volumes include simple, spanned, striped, mirrored, and RAID-5 volumes. Dynamic volumes must be created on dynamic disks. Dynamic-link library (DLL) A feature of the Microsoft Windows family of operating systems and the OS/2 operating system. DLLs allow executable routines, generally serving a specific function or set of functions, to be stored separately as files with .dll extensions, and to be loaded only when needed by the program that calls them.


E Embedded object Information created in another application that has been pasted inside a document. When information is embedded, you can edit it in the new document by using toolbars and menus from the original program. When you double-click the embedded icon, the toolbars and menus from the program used to create the information appear. Embedded information is not linked to the original file. If you change information in one place, it is not updated in the other. Emergency repair disk (ERD) A disk, created by the Backup utility, that contains copies of three of the files stored in the %SystemRoot%/Repair folder, including Setup.log that contains a list of system files installed on the computer. This disk can be used during the Emergency Repair Process to repair your computer if it will not start or if your system files are damaged or erased. Encapsulating security payload (ESP) An IPSec protocol that provides confidentiality, in addition to authentication, integrity, and anti-replay. ESP can be used alone, in combination with AH, or nested with the Layer Two Tunneling Protocol (L2TP). ESP does not normally sign the entire packet unless it is being tunneled. Ordinarily, just the data payload is protected, not the IP header. Encrypting File System (EFS) A new feature in Windows 2000 that protects sensitive data in files that is stored on disk using the NTFS file system. It uses symmetric key encryption in conjunction with public key technology to provide confidentiality for files. It runs as an integrated system service, which makes EFS easy to manage, difficult to attack, and transparent to the file owner and to applications. Encryption The process of disguising a message or data in such a way as to hide its substance.

Glossary 205

Encryption key A bit string that is used in conjunction with an encryption algorithm to encrypt and decrypt data. Enhanced Integrated Drive Electronics (EIDE) An extension of the IDE standard, EIDE is a hardware interface standard for disk drive designs that houses control circuits in the drives themselves. It allows for standardized interfaces to the system bus, while providing for advanced features, such as burst data transfers and direct data access. Enterprise Resource Planning (ERP) A software system designed to support and automate the processes of an organization, including manufacturing and distribution, accounting, project management and personnel functions. Environment variable A string consisting of environment information, such as a drive, path, or filename, associated with a symbolic name that can be used by Windows NT and Windows 2000. Use the System option in Control Panel or the set command from the command prompt to define environment variables. Ethernet An IEEE 802.3 standard for contention networks. Ethernet uses a bus or star topology and relies on the form of access known as Carrier Sense Multiple Access with Collision Detection (CSMA/DC) to regulate communication line traffic. Network nodes are linked by coaxial cable, fiberoptic cable, or by twisted-pair wiring. Data is transmitted in variable-length frames containing delivery and control information and up to 1,500 bytes of data. The Ethernet standard provides for baseband transmission at 10 megabits (10 million bits) per second. Exabyte Approximately one quintillion bytes, or one billion billion bytes. Expire interval For DNS, the number of seconds that DNS servers operating as secondary masters for a zone use to determine if zone data should be expired when the zone is not refreshed and renewed.


Explicit trust relationship A trust relationship from Windows NT in which an explicit link is made in one direction only. Explicit trusts can also exist between Windows NT domains and Windows 2000 domains, and between forests. Export In NFS, to make a file system available by a server to a client for mounting. Extended Industry Standard Architecture (EISA) A 32-bit bus standard introduced in 1988 by a consortium of nine computerindustry companies. EISA maintains compatibility with the earlier Industry Standard Architecture (ISA) but provides for additional features. Extended partition A portion of a basic disk that can contain logical drives. To have more than four volumes on your basic disk, you need to use an extended partition. Only one of the four partitions allowed per physical disk can be an extended partition, and no primary partition needs to be present to create an extended partition. You can create extended partitions only on basic disks. Extensible Authentication Protocol (EAP) An extension to PPP that allows for arbitrary authentication mechanisms to be employed for the validation of a PPP connection. Extensible Markup Language (XML) A meta-markup language that provides a format for describing structured data. This facilitates more precise declarations of content and more meaningful search results across multiple platforms. In addition, XML will enable a new generation of Web-based data viewing and manipulation applications.

Glossary 207

F FAT32 A derivative of the file allocation table file system. FAT32 supports smaller cluster sizes than FAT in the same given disk space, which results in more efficient space allocation on FAT32 drives. Fault tolerance The assurance of data integrity when hardware failures occur. On the Windows NT and Windows 2000 platforms, fault tolerance is provided by the Ftdisk.sys driver. Fiber Distributed Data Interface (FDDI) A type of network media designed to be used with fiber-optic cabling. File allocation table (FAT) A file system based on a file allocation table (FAT) maintained by some operating systems, including Windows NT and Windows 2000, to keep track of the status of various segments of disk space used for file storage. File record The row in the master file table (MFT) that corresponds to a particular disk file. The file record is identified by its file reference. File system In an operating system, the overall structure in which files are named, stored, and organized. NTFS, FAT, and FAT32 are types of file systems. File system cache An area of physical memory that holds frequently used pages. It allows applications and services to locate pages rapidly and reduces disk activity. File Transfer Protocol (FTP) A protocol that defines how to transfer files from one computer to another over the Internet. FTP is also a client/server application that moves files using this protocol.


Filter In IPSec, a rule that provides the ability to trigger security negotiations for a communication based on the source, destination, and type of IP traffic. FilterKeys A Windows 2000 accessibility feature that allows people with physical disabilities to adjust keyboard response time. Firewall A combination of hardware and software that provides a security system, usually to prevent unauthorized access from outside to an internal network or intranet. A firewall prevents direct communication between network and external computers by routing communication through a proxy server outside of the network. The proxy server determines whether it is safe to let a file pass through to the network. A firewall is also called a security-edge gateway. Folder redirection A Group Policy option that allows you to redirect designated folders to the network. Forest A collection of one or more Windows 2000 Active Directory trees, organized as peers and connected by two-way transitive trust relationships between the root domains of each tree. All trees in a forest share a common schema, configuration, and Global Catalog. When a forest contains multiple trees, the trees do not form a contiguous namespace. Fragmentation The scattering of parts of the same disk file over different areas of the disk. Fragmentation occurs as files on a disk are deleted and new files are added. It slows disk access and degrades the overall performance of disk operations, although usually not severely. Free media pool A logical collection of unused data-storage media that can be used by applications or other media pools. When media are no longer needed by an application, they are returned to a free media pool so that they can be used again.

Glossary 209

G Gatekeeper A server that uses a directory to perform name-to-IP address translation, admission control and call management services in H.323 conferencing. Gateway A device connected to multiple physical TCP/IP networks, capable of routing or delivering IP packets between them. A gateway translates between different transport protocols or data formats (for example, IPX and IP) and is generally added to a network primarily for its translation ability. Global Catalog A domain controller that contains a partial replica of every domain directory partition in the forest as well as a full replica of its own domain directory partition and the schema and configuration directory partitions. The Global Catalog holds a replica of every object in Active Directory, but each object includes a limited number of its attributes. The attributes in the Global Catalog are those most frequently used in search operations (such as a user’s first and last names) and those attributes that are required to locate a full replica of the object. The Global Catalog enables users and applications to find objects in Active Directory given one or more attributes of the target object, without knowing what domain holds the object. The Active Directory replication system builds the Global Catalog automatically. The attributes replicated into the Global Catalog include a base set defined by Microsoft. Administrators can specify additional properties to meet the needs of their installation. Global group For Windows 2000 Server, a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those places a global group can be granted rights and permissions and can become a member of local groups. However, a global group can contain user accounts only from its own domain.


Globally unique identifier (GUID) A 16-byte value generated from the unique identifier on a device, the current date and time, and a sequence number. A GUID is used to identify a particular device or component. Graphical Identification and Authentication (GINA) A DLL loaded during the Windows 2000 Winlogon process, which displays the standard logon dialog box, collects, and processes user logon data for verification. Graphical user interface (GUI) A display format, like that of Windows, which represents a program’s functions with graphic images such as buttons and icons. GUIs allow a user to perform operations and make choices by pointing and clicking with a mouse. Group A collection of users, computers, contacts, and other groups. Groups can be used as security or as e-mail distribution collections. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists. In a server cluster, a group is a collection of resources, and the basic unit of failover. Group Identification (GID) A group identifier that uniquely identifies a group of users. UNIX uses the GID to identify the group ownership of a file, and to determine access permissions. Group memberships The groups to which a user account belongs. Permissions and rights granted to a group are also provided to its members. In most cases, the actions a user can perform in Windows 2000 are determined by the group memberships of the user account to which the user is logged on. Group Policy An administrator’s tool for defining and controlling how programs, network resources, and the operating system operate for users and computers in an organization. In an Active Directory environment, Group Policy is applied to users or computers on the basis of their membership in sites, domains, or organizational units.

Glossary 211

Group Policy object A collection of Group Policy settings. Group Policy objects are the documents created by the Group Policy snap-in. Group Policy objects are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units. Each Windows 2000-based computer has exactly one group of settings stored locally, called the local Group Policy object.


H H.323 The ITU-T standard for multimedia communications over networks that do not provide a guaranteed quality of service. This standard provides specifications for workstations, devices, and services to carry real-time video, audio, and data or any combination of these elements. Hardware abstraction layer (HAL) A thin layer of software provided by the hardware manufacturer that hides, or abstracts, hardware differences from higher layers of the operating system. Through the filter provided by the HAL, different types of hardware all look alike to the rest of the operating system. This allows Windows NT and Windows 2000 to be portable from one hardware platform to another. The HAL also provides routines that allow a single device driver to support the same device on all platforms. The HAL works closely with the kernel. Hardware Compatibility List (HCL) A list of the devices supported by Windows 2000, available from the Microsoft Web site. Hardware malfunction message A character-based, full-screen error message displayed on a blue background. It indicates the microprocessor detected a hardware error condition from which the system cannot recover. Hardware profile A set of changes to the standard configuration of devices and services (including drivers and Win32 services) loaded by Windows 2000 when the system starts. For example, a hardware profile can include an instruction to disable (that is, not load) a driver, or an instruction not to connect an undocked laptop computer to the network. Because of the instructions in this subkey, users can modify the service configuration for a particular use while preserving the standard configuration unchanged for more general uses.

Glossary 213

Hardware type A classification for similar devices. For example, Imaging Device is a hardware type for digital cameras and scanners. Heartbeat thread A thread initiated by the Windows NT Virtual DOS Machine (NTVDM) process that interrupts every 55 milliseconds to simulate a timer interrupt. Hop In data communications, one segment of the path between routers on a geographically dispersed network. A hop is comparable to one “leg” of a journey that includes intervening stops between the starting point and the destination. The distance between each of those stops (routers) is a communications hop. Hosts A local text file in the same format as the 4.3 Berkeley Software Distribution (BSD) UNIX/etc/hosts file. This file maps host names to IP addresses. In Windows 2000, this file is stored in the \%SystemRoot%\System32\Drivers\Etc folder. Hot keys A Windows feature that allows quick activation of specified accessibility features through a combination of keys pressed in unison. HTML+Time A new feature in Microsoft Internet Explorer 5 that adds timing and media synchronization support to HTML pages. Using a few Extensible Markup Language (XML)-based elements and attributes, you can add images, video, and sounds to an HTML page, and synchronize them with HTML text elements over a specified amount of time. In short, you can use HTML+TIME technology to quickly and easily create multimedia-rich, interactive presentations, with little or no scripting.


Human Interface Device (HID) A firmware specification that is a new standard for input and output devices such as drawing tablets, keyboards, USB speakers, and other specialized devices designed to improve accessibility. Hypertext Markup Language (HTML) A simple markup language used to create hypertext documents that are portable from one platform to another. HTML files are simple ASCII text files with embedded codes (indicated by markup tags) to indicate formatting and hypertext links. HTML is used for formatting documents on the World Wide Web. Hypertext Transfer Protocol (HTTP) The protocol used to transfer information on the World Wide Web. An HTTP address (one kind of Uniform Resource Locator [URL]) takes the form: http://www.microsoft.com.

Glossary 215

I I/O request packet (IRP) Data structures that drivers use to communicate with each other. IEEE 1284.4 An IEEE specification, also called DOT4, for supporting multi-function peripherals (MFPs). Windows 2000 has a driver called DOT4 that creates different port settings for each function of an MFP, enabling Windows 2000 print servers to simultaneously send data to multiple parts of an MFP. IEEE 1394 (Firewire) A standard for high-speed serial devices such as digital video and digital audio editing equipment. Image Color Management (ICM) The process of image output correction. ICM attempts to make the output more closely match the colors that are input or scanned. Impersonation A circumstance that occurs when Windows NT or Windows 2000 allows one process to take on the security attributes of another. Import media pool A repository where Removable Storage puts media when it recognizes the on-media identifier (OMID), but does not have the media cataloged in the current Removable Storage database. Incremental backup A backup that copies only those files created or changed since the last normal or incremental backup. It marks files as having been backed up (the archive bit is set). If a combination of normal and incremental backups is used to restore your data, you need to have the last normal backup and all subsequent incremental backup sets. Independent software vendors (ISVs) A third-party software developer; an individual or an organization that independently creates computer software. Infrared (IR) Light that is beyond red in the color spectrum. While the light is not visible to the human eye, infrared transmitters and receivers can send and receive infrared signals.


Industry Standard Architecture (ISA) A bus design specification that allows components to be added as cards plugged into standard expansion slots in IBM Personal Computers and IBM compatible computers. Originally introduced in the IBM PC/XT with an 8bit data path, ISA was expanded in 1984, when IBM introduced the PC/AT, to permit a 16-bit data path. A 16-bit ISA slot consists of two separate 8-bit slots mounted end-to-end so that a single 16-bit card plugs into both slots. An 8-bit expansion card can be inserted and used in a 16-bit slot (it occupies only one of the two slots), but a 16-bit expansion card cannot be used in an 8-bit slot. Infrared Data Association (IrDA) A networking protocol used to transmit data created by infrared devices. Infrared Data Association is also the name of the industry organization of computer, component, and telecommunications vendors who establish the standards for infrared communication between computers and peripheral devices, such as printers. Infrared port An optical port on a computer that enables communication with Infrared device such as other computers, peripherals or devices by using infrared light.. Infrared ports do not use cables and can be found on portable computers, printers, cameras, etc. Input/Output (I/O) port A channel through which data is transferred between a device and the microprocessor. The port appears to the microprocessor as one or more memory addresses that it can use to send or receive data. Insert/Eject (IE) port IE ports, also called “mailslots,” offer limited access to the cartridges in a library managed by Removable Storage. When an administrator adds cartridges to a library through an IE port, the cartridges are placed in the IE port and then the library uses the transport to move the cartridges from the IE port to a slot. Some libraries have no IE ports; others have several. Some IE ports handle only one cartridge at a time; others can handle several at one time.

Glossary 217

Instantaneous counter A type of counter that displays the most recent measurement taken by the Performance console. Institute of Electrical and Electronics Engineers (IEEE) An organization of engineering and electronics professionals that are notable for developing standards for hardware and software. Integrated device electronics (IDE) A type of disk-drive interface in which the controller electronics reside on the drive itself, eliminating the need for a separate adapter card. IDE offers advantages such as look-ahead caching to increase overall performance. Integrated Services Digital Network (ISDN) A type of phone line used to enhance WAN speeds. ISDN lines can transmit at speeds of 64 or 128 kilobits per second, as opposed to standard phone lines, which typically transmit at 28.8 kilobits per second. The phone company must install an ISDN line at both the server site and the remote site. Integrity A basic security function of cryptography. Integrity provides verification that the original contents of information have not been altered or corrupted. Without integrity, someone might alter information or the information might become corrupted, but the alteration can go undetected. For example, an Internet Protocol security property that protects data from unauthorized modification in transit, ensuring that the data received is exactly the same as the data sent. Hash functions sign each packet with a cryptographic checksum, which the receiving computer checks before opening the packet. If the packet-and therefore signature-has changed, the packet is discarded. IntelliMirror A set of Windows 2000 features used for desktop change and configuration management. When IntelliMirror is used in both the server and client, the users’ data, applications, and settings follow them when they move to another computer.


Interactive logon A network logon from a computer keyboard, when the user types information in the Logon Information dialog box displayed by the computer’s operating system. Internet A worldwide public TCP/IP internetwork consisting of thousands of individual networks that connects research facilities, universities, libraries, private companies and Individuals. Internet Control Message Protocol (ICMP) A required maintenance protocol in the TCP/IP suite that reports errors and allows simple connectivity. The Ping tool uses ICMP to perform TCP/IP troubleshooting. Internet Information Services (IIS) Software services that support Web site creation, configuration, and management, along with other Internet functions. Internet Information Services include Network News Transfer Protocol (NNTP), File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP). Internet Key Exchange (IKE) A protocol that establishes the security association and shared keys necessary for two parties to communicate with Internet Protocol security. Internet locator service (ILS) An optional component of Microsoft Site Server that creates a dynamic directory of videoconferencing users. Internet Printing Protocol (IPP) The protocol that uses the Hypertext Transfer Protocol (HTTP) to send print jobs to printers throughout the world. Windows 2000 supports Internet Printing Protocol (IPP) version 1.0. Internet Protocol (IP) A routable protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets.

Glossary 219

Internet Protocol security (IPSec) A set of industry-standard, cryptography-based protection services and protocols. IPSec protects all protocols in the TCP/IP protocol suite and Internet communications using L2TP. Internet service provider (ISP) A company that provides individuals or companies access to the Internet and the World Wide Web. An ISP provides a telephone number, a user name, a password, and other connection information so users can connect their computers to the ISP’s computers. An ISP typically charges a monthly and/or hourly connection fee. Internetwork Packet Exchange / Sequenced Packet Exchange (IPX/SPX) A network protocol suite native to NetWare that controls addressing and routing of packets within and between LANs. Interrupt A request for attention from the processor. When the processor receives an interrupt, it suspends its current operations, saves the status of its work, and transfers control to a special routine known as an interrupt handler, which contains the instructions for dealing with the particular situation that caused the interrupt. Interrupt request (IRQ) A signal sent by a device to get the attention of the processor when the device is ready to accept or send information. Each device sends its interrupt requests over a specific hardware line, numbered from 0 to 15. Each device must be assigned a unique IRQ number. Intranet A network within an organization that uses Internet technologies and protocols but is available only to certain people, such as employees of a company. An intranet is also called a private network. IP address A 32-bit address used to identify a node on an IP internetwork. Each node on the IP internetwork must be assigned a unique IP address, which is made up of the network ID, plus a unique host ID. This address is typically represented with the decimal value of each octet separated by a period (for example, 192.168.7.27).


IP router A system connected to multiple physical TCP/IP networks that can route or deliver IP packets between the networks. IPSec driver A driver that uses the IP Filter List from the active IPSec policy to watch for outbound IP packets that must be secured and inbound IP packets that need to be verified and decrypted. IPSec filter A part of IPSec security rules that make up an IPSec security policy. IPSec filters determine whether a data packet needs an IPSec action and what the IPSec action is, such as permit, block, or secure. Filters can classify traffic by criteria including source IP address, source subnet mask, destination IP address, IP protocol type, source port, and destination port. Filters are not specific to a network interface. IPSec security rules Rules contained in the IPSec policy that govern how and when an IPSec is invoked. A rule triggers and controls secure communication when a particular source, destination, or traffic type is found. Each IPSec policy may contain one or many rules; any of which may apply to a particular packet. Default rules are provided which encompass a variety of clients and serverbased communications or rules can be modified to meet custom requirements. IrTran-p A protocol that transfers images from cameras to Windows 2000 computers using infrared transmissions, making a physical cable connection unnecessary. Isochronous Time dependent. Refers to processes where data must be delivered within certain time constraints. Multimedia streams require an isochronous transport mechanism to ensure that data is delivered as fast as it is displayed, and to ensure that the audio is synchronized with the video.

Glossary 221

J Job object A feature in the Win32 API set that makes it possible for groups of processes to be managed with respect to their processor usage and other factors.


K Kerberos authentication protocol An authentication mechanism used to verify user or host identity. The Kerberos v5 authentication protocol is the default authentication service for Windows 2000. Internet Protocol security and the QoS Admission Control Service use the Kerberos protocol for authentication. Kernel The core of layered architecture that manages the most basic operations of the operating system and the computer’s processor for Windows NT and Windows 2000. The kernel schedules different blocks of executing code, called threads, for the processor to keep it as busy as possible and coordinates multiple processors to optimize performance. The kernel also synchronizes activities among Executive-level subcomponents, such as I/O Manager and Process Manager, and handles hardware exceptions and other hardware-dependent functions. The kernel works closely with the hardware abstraction layer. Key A secret code or number required to read, modify, or verify secured data. Keys are used in conjunction with algorithms to secure data. Windows 2000 automatically handles key generation. For the registry, a key is an entry in the registry that can contain both subkeys and entries. In the registry structure, keys are analogous to folders, and entries are analogous to files. In the Registry Editor window, a key appears as a file folder in the left pane. In an answer file, keys are character strings that specify parameters from which Setup obtains the needed data for unattended installation of the operating system. Keyboard filters Special timing and other devices that compensate for erratic motion tremors, slow response time, and other mobility impairments.

Glossary 223

L Last Known Good Configuration A hardware configuration available by pressing F8 during startup. If the current hardware settings prevent the computer from starting, the Last Known Good Configuration can allow the computer to be started and the configuration to be examined. When the Last Known Good Configuration is used, later configuration changes are lost. Layer 2 forwarding (L2F) Permits the tunneling of the link layer of higher-level protocols. Using these tunnels, it is possible to separate the location of the initial dial-up server from the physical location at which the dial-up protocol connection is terminated and access to the network is provided. Layer two Tunneling Protocol (L2TP) A tunneling protocol that encapsulates PPP frames to be sent over IP, X.25, Frame Relay, or ATM networks. L2TP is a combination of the Point-toPoint Tunneling Protocol (PPTP) and Layer 2 Forwarding (L2F), a technology proposed by Cisco Systems, Inc. Legend The area of the System Monitor graph or histogram display that shows computer name, object name, counter name, instances, and other information as a reference to the lines in the graph or the bars in the histogram. Library A data-storage system, usually managed by Removable Storage. A library consists of removable media (such as tapes or discs) and a hardware device that can read from or write to the media. There are two major types of libraries: robotic libraries (automated multiple-media, multidrive devices) and stand-alone drive libraries (manually operated, single-drive devices). A robotic library is also called a jukebox or changer. Library request A request for an online library or stand-alone drive to perform a task. This request can be issued by an application or by Removable Storage.


Lightweight Directory Access Protocol (LDAP) A directory service protocol that runs directly over TCP/IP and the primary access protocol for Active Directory. LDAP version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC 2251. Lightweight Directory Access Protocol application programming interface (LDAP API) An API for experienced programmers who want to enable new or existing applications to connect to, search, and update LDAP servers. You can use the LDAP API to write directory-enabled applications that allow LDAP client applications to search for and retrieve information from an LDAP server. LDAP API enables the modification of directory objects, where such modifications are permitted. There are also functions that provide access control for servers, by allowing clients to authenticate themselves. Line Printer Remote (LPR) A connectivity tool that runs on client systems and is used to print files to a computer running an LPD server. Also called Line Printer. Line Printer Daemon (LPD) A service on the print server that receives documents (print jobs) from line printer remote (LPR) tools running on client systems. Line Printer Port Monitor A port monitor that is used to send jobs over TCP/IP from the client running Lprmon.dll to a print server running an LPD (Line Printer Daemon) service. Line Printer Port Monitor can be used to enable Internet printing, UNIX print servers, or Windows 2000 print servers over a TCP/IP network. Linked object An object that is inserted into a document but still exists in the source file. When information is linked, the new document is updated automatically if the information in the original document changes.

Glossary 225

Local area network (LAN) A communications network connecting a group of computers, printers, and other devices located within a relatively limited area (for example, a building). A LAN allows any connected device to interact with any other on the network. Local computer A computer that can be accessed directly without using a communications line or a communications device, such as a network adapter or a modem. Similarly, running a local program means running the program on your computer, as opposed to running it from a server. Local group For computers running Windows 2000 Professional and member servers, a group that is granted permissions and rights from its own computer to only those resources on its own computer on which the group resides. Local Security Authority (LSA) A protected subsystem that authenticates and logs users onto the local system. In addition, the LSA maintains information about all aspects of local security on a system (collectively known as the local security policy), and provides various services for translation between names and identifiers. Local user profile A computer-based record maintained about an authorized user that is created automatically on the computer the first time a user logs on to a computer running Windows 2000. Localmon.dll The standard print monitor for use with printers connected directly to your computer. If you add a printer to your computer using a serial or parallel port (such as COM1 or LPT1), this is the monitor that is used.


LocalTalk The Apple networking hardware built into every Macintosh computer. LocalTalk includes the cables and connector boxes to connect components and network devices that are part of the AppleTalk network system. LocalTalk was formerly known as the AppleTalk Personal Network. Locator service In a distributed system, a feature that allows a client to find a shared resource or server without providing an address or full name. Generally associated with Active Directory, which provides a locator service. Logical drive A volume created within an extended partition on a basic disk. You can format and assign a drive letter to a logical drive. Only basic disks can contain logical drives. A logical drive cannot span multiple disks. Logical volume A volume created within an extended partition on a basic disk. You can format and assign a drive letter to a logical drive. Only basic disks can contain logical drives. A logical drive cannot span multiple disks. Logon script Files that can be assigned to user accounts. Typically a batch file, a logon script runs automatically every time the user logs on. It can be used to configure a user’s working environment at every logon, and it allows an administrator to influence a user’s environment without managing all aspects of it. A logon script can be assigned to one or more user accounts.

Glossary 227

Long file name (LFN) A folder name or file name on the FAT file system that is longer than the 8.3 file name standard (up to eight characters followed by a period and an extension of up to three characters). Windows 2000 supports long file names up to the file-name limit of 255 characters. Macintosh users can assign long names to files and folders on the server and, using Services for Macintosh, long names to Macintosh-accessible volumes can be assigned when created. Windows 2000 automatically translates long names of files and folders to 8.3 names for MS-DOS and Windows 3.x users. Loopback address The address of the local computer used for routing outgoing packets back to the source computer. This address is used primarily for testing.


M MAC See media access control. Magazine A collection of storage locations, also called “slots,” for cartridges in a library managed by Removable Storage. Magazines are usually removable. Magneto-optic (MO) disk A high-capacity, erasable storage medium which uses laser beams to heat the disk and magnetically arrange the data. Magnifier A screen enlarger that magnifies a portion of the screen in a separate window for users with low vision and for those who require occasional screen magnification for such tasks as editing art. Manual caching A method of manually designating network files and folders so they are stored on a user’s hard disk and accessible when the user is not connected to the network. Master Boot Record (MBR) The first sector on a hard disk, this data structure starts the process of booting the computer. It is the most important area on a hard disk. The MBR contains the partition table for the disk and a small amount of executable code called the master boot code. Master file table (MFT) The database that tracks the contents of an NTFS volume. The MFT is a table whose rows correspond to files on the volume and whose columns correspond to the attributes of each file. Maximum password age The period of time a password can be used before the system requires the user to change it. Media The physical material on which information is recorded and stored. Media access control A sublayer of the IEEE 802 specifications that defines network access methods and framing. Media label library

Glossary 229

A dynamic-link library (DLL) that can interpret the format of a media label written by a Removable Storage application. Media pool Logical collections of removable media that have the same management policies. Media pools are used by applications to control access to specific tapes or discs within libraries managed by Removable Storage. There are four media pools: Unrecognized, Import, Free, and application-specific. Each media pool can only hold either media or other media pools. Media states Descriptions of conditions in which Removable Storage has placed a cartridge that it is managing. The states include Idle, In Use, Mounted, Loaded, and Unloaded. Memory leak A condition that occurs when applications allocate memory for use but do not free allocated memory when finished. Metric A number used to indicate the cost of a route in the IP routing table to enable the selection of the best route among possible multiple routes to the same destination. Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) An encrypted authentication mechanism for PPP connections similar to CHAP. The remote access server sends a challenge to the remote access client that consists of a session ID and an arbitrary challenge string. The remote access client must return the user name and a Message Digest 4 (MD4) hash of the challenge string, the session ID, and the MD4-hashed password. Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) An encrypted authentication mechanism for PPP connections that provides stronger security than CHAP and MS-CHAP v1. MS-CHAP v2 provides mutual authentication and asymmetric encryption keys.


Microsoft Indexing Service Software that provides search functions for documents stored on disk, allowing users to search for specific document text or properties. Microsoft Internet Directory A Web site provided and maintained by Microsoft used by applications such as NetMeeting to locate people to call on the Internet. The Microsoft Internet Directory is operated through an ILS server. Microsoft Management Console (MMC) A framework for hosting administrative consoles. A console is defined by the items on its console tree, which might include folders or other containers, World Wide Web pages, and other administrative items. A console has one or more windows that can provide views of the console tree and the administrative properties, services, and events that are acted on by the items in the console tree. The main MMC window provides commands and tools for authoring consoles. The authoring features of MMC and the console tree might be hidden when a console is in User Mode. Microsoft Point-to-Point Encryption (MPPE) A 128/40-bit encryption algorithm using RSA RC4. MPPE provides for packet security between the client and the tunnel server and is useful where IPSec is not available. The 40-bit version addresses localization issues based on current export restrictions. MPPE is compatible with Network Address Translation. Microsoft Tape Format (MTF) The data format used for tapes supported by the Backup application in Windows 2000. There are three major components to MTF: a Tape Data Block (Tape DBLK), otherwise known as the tape header; one or more Data Sets; and On Tape Catalog Information (On Tape Catalog Inf). Minidrivers Relatively small, simple drivers or files that contain additional instructions needed by a specific hardware device, to interface with the universal driver for a class of devices.

Glossary 231

Minimum TTL A default Time To Live (TTL) value set in seconds for use with all resource records in a zone. This value is set in the start of authority (SOA) resource record for each zone. By default, the DNS server includes this value in query answers to inform recipients how long it can store and use resource records provided in the query answer before they must expire the stored records data. When TTL values are set for individual resource records, those values will override the minimum TTL. Mirrored volume A fault-tolerant volume that duplicates data on two physical disks. The mirror is always located on a different disk. If one of the physical disks fails, the data on the failed disk becomes unavailable, but the system continues to operate by using the unaffected disk. A mirrored volume is slower than a RAID-5 volume in read operations but faster in write operations. Mirrored volumes can only be created on dynamic disks. In Windows NT 4.0, a mirrored volume was known as a mirror set. Mixed mode The default mode setting for domains on Windows 2000 domain controllers. Mixed mode allows Windows 2000 domain controllers and Windows NT backup domain controllers to co-exist in a domain. Mixed mode does not support the universal and nested group enhancements of Windows 2000. You can change the domain mode setting to Windows 2000 native mode after all Windows NT domain controllers are either removed from the domain or upgraded to Windows 2000. Mode Pruning A Windows 2000 feature that can be used to remove display modes that the monitor cannot support. Mount To place a removable tape or disc into a drive. MouseKeys A feature in Microsoft Windows that allows use of the numeric keyboard to move the mouse pointer.


MP3 Audio compressed in the MPEG1 Layer 3 format MPEG-2 A standard of video compression and file format developed by the Moving Pictures Experts Group. MPEG-2 offers video resolutions of 720 x 480 and 128 x 720 at 60 frames per second, with full CD-quality audio. MS-CHAPv2 See Microsoft Challenge Handshake Authentication Protocol version 2. Multicast IP IP packets sent from a single destination IP address but received and processed by multiple IP hosts, regardless of their location on an IP internetwork. Multicasting The process of sending a message simultaneously to more than one destination on a network. Multihomed computer A computer that has multiple network adapters or that has been configured with multiple IP addresses for a single network adapter. Multiple boot A computer configuration that runs two or more operating systems. For example, Windows 98, MS-DOS, and Windows 2000 operating systems can be installed on the same computer. When the computer is started, any one of the operating systems can be selected.

Glossary 233

N Name devolution A process by which a DNS resolver appends one or more domain names to an unqualified domain name, making it a fully qualified domain name, and then submits the fully qualified domain name to a DNS server. Namespace A set of unique names for resources or items used in a shared computing environment. The names in a namespace can be resolved to the objects they represent. For Microsoft Management Console (MMC), the namespace is represented by the console tree, which displays all of the snap-ins and resources that are accessible to a console. For Domain Name System (DNS), namespace is the vertical or hierarchical structure of the domain name tree. For example, each domain label, such as “host1” or “example,” used in a fully qualified domain name, such as “host1.example.microsoft.com,” indicates a branch in the domain namespace tree. For Active Directory, namespace corresponds to the DNS namespace in structure, but resolves Active Directory object names. Naming service A service, such as that provided by WINS or DNS, that allows friendly names to be resolved to an address or other specially defined resource data that is used to locate network resources of various types and purposes. Narrator A synthesized text-to-speech utility for users who have low vision. Narrator reads aloud most of what the screen displays. Native mode The condition in which all domain controllers within a domain are Windows 2000 domain controllers and an administrator has enabled native mode operation (through Active Directory Users and Computers). NDIS miniport drivers A type of minidriver that interfaces network class devices to NDIS.


Nested groups A Windows 2000 capability available only in native mode that allows the creation of groups within groups. See also domain local group; forest; global group; trusted forest; universal group. NetBIOS Extended User Interface (NetBEUI) A network protocol native to Microsoft Networking that is usually used in local area networks of one to 200 clients. NetBEUI uses Token Ring source routing as its only method of routing. It is the Microsoft implementation of the NetBIOS standard. NetBIOS over TCP/IP (NetBT) A feature that provides the NetBIOS programming interface over the TCP/IP protocol. It is used for monitoring routed servers that use NetBIOS name resolution. NetWare Novell’s network operating system. Network adapter Software or a hardware plug-in board that connects a node or host to a local area network. Network basic input/output system (NetBIOS) An application programming interface (API) that can be used by applications on a local area network or computers running MS-DOS, OS/2, or some version of UNIX. NetBIOS provides a uniform set of commands for requesting lower level network services. Network Control Protocol (NCP) A protocol within the PPP protocol suite that negotiates the parameters of an individual LAN protocol such as TCP/IP or IPX. Network Driver Interface Specification (NDIS) A software component that provides Windows 2000 network protocols a common interface for communications with network adapters. NDIS allows more than one transport protocol to be bound and operate simultaneously over a single network adapter card. Network file system (NFS) A service for distributed computing systems that provides a distributed file system, eliminating the need for keeping multiple copies of files on separate computers.

Glossary 235

Network Information Service (NIS) Formerly known as Yellow Pages, NIS is a distributed database service that allows for a shared set of system configuration files on UNIX-based systems, including password, hosts, and group files. Network News Transfer Protocol (NNTP) A member of the TCP/IP suite of protocols, used to distribute network news messages to NNTP servers and clients, or newsreaders, on the Internet. NNTP is designed so that news articles are stored on a server in a central database, and the user selects specific items to read. Network security administrators Users who manage network and information security. Network security administrators should implement a security plan that addresses network security threats. Node In tree structures, a location on the tree that can have links to one or more items below it. In local area networks (LANs), a device that is connected to the network and is capable of communicating with other network devices. In a server cluster, a server that has Cluster service software installed and is a member of the cluster. Noncontainer object An object that cannot logically contain other objects. A file is a noncontainer object. Nonrepudiation A basic security function of cryptography. Nonrepudiation provides assurance that a party in a communication cannot falsely deny that a part of the communication occurred. Without nonrepudiation, someone can communicate and then later deny the communication or claim that the communication occurred at a different time. Nonresident attribute A file attribute whose value is contained in one or more runs, or extents, outside the master file table (MFT) record and separate from the MFT.


Nontransitive trust relationship A type of trust relationship that is bounded by the two domains in the relationship. For example, if domain A trusts domain B and domain B trusts domain C, there is no trust relationship between domain A and domain C. A nontransitive trust relationship can be a one-way or two-way relationship. It is the only type of trust relationship that can exist between a Windows 2000 domain and a Windows NT domain or between Windows 2000 domains in different forests. Normal backup A backup that copies all selected files and marks each file as backed up (that is, the archive bit is set). With normal backups, only the most recent copy of the backup file or tape is needed to restore all of the files. A normal backup is usually performed the first time a backup set is created. Novell Directory Services (NDS) On networks running Novell NetWare 4.x and NetWare 5.x, a distributed database that maintains information about every resource on the network and provides access to these resources. NT-1 (Network Terminator 1) A device that terminates an ISDN line at the connection location, commonly through a connection port. NTFS file system A recoverable file system designed for use specifically with Windows NT and Windows 2000. NTFS uses database, transaction-processing, and object paradigms to provide data security, file system reliability, and other advanced features. It supports file system recovery, large storage media, and various features for the POSIX subsystem. It also supports object-oriented applications by treating all files as objects with user-defined and systemdefined attributes. NTLM A security package that provides authentication between clients and servers.

Glossary 237

NTLM authentication protocol A challenge/response authentication protocol. The NTLM authentication protocol was the default for network authentication in Windows NT version 4.0 and earlier. The protocol continues to be supported in Windows 2000 but no longer is the default. NWLink An implementation of the Internetwork Packet Exchange (IPX), Sequenced Packet Exchange (SPX), and NetBIOS protocols used in Novell networks. NWLink is a standard network protocol that supports routing and can support NetWare client/server applications, where NetWare-aware Socketsbased applications communicate with IPX/SPX Sockets-based applications.


O Object An entity, such as a file, folder, shared folder, printer, or Active Directory object, described by a distinct, named set of attributes. For example, the attributes of a File object include its name, location, and size; the attributes of an Active Directory User object might include the user’s first name, last name, and e-mail address. For OLE and ActiveX objects, an object can also be any piece of information that can be linked to, or embedded into, another object. Object linking and embedding (OLE) A method for sharing information among applications. Linking an object, such as a graphic, from one document to another inserts a reference to the object into the second document. Any changes you make in the object in the first document will also be made in the second document. Embedding an object inserts a copy of an object from one document into another document. Changes you make in the object in the first document will not be updated in the second unless the embedded object is explicitly updated. Offline media Media that are not connected to the computer and require external assistance to be accessed. On-media identifier (OMID) A label that is electronically recorded on each medium in a Removable Storage system. Removable Storage uses on-media identifiers to track media in the Removable Storage database. An application on-media identifier is a subset of the media label. On-screen keyboard A utility that displays a virtual keyboard on a computer screen and allows users with mobility impairments to type using a pointing device or joystick. Open database connectivity (ODBC) An application programming interface (API) that enables database applications to access data from a variety of existing data sources.

Glossary 239

Open Host Controller Interface (OHCI) Part of the IEEE 1394 standard. In Windows 2000 Professional, only OHCI-compliant host adapters are supported. OpenType fonts Outline fonts that are rendered from line and curve commands, and can be scaled and rotated. OpenType fonts are clear and readable in all sizes and on all output devices supported by Windows 2000. OpenType is an extension of TrueType font technology. Operator request A request for the operator to perform a task. This request can be issued by an application or by Removable Storage. Original equipment manufacturer (OEM) The maker of a piece of equipment. In making computers and computerrelated equipment, manufacturers of original equipment typically purchase components from other manufacturers of original equipment and then integrate them into their own products. Overclocking Setting a microprocessor to run at speeds above the rated specification.


P Package An icon that represents embedded or linked information. That information can consist of a complete file, such as a Paint bitmap, or part of a file, such as a spreadsheet cell. When a package is chosen, the application used to create the object either plays the object (if it is a sound file, for example) or opens and displays the object. If the original information is changed, linked information is then updated. However, embedded information needs to be manually updated. In Systems Management Server, an object that contains the files and instructions for distributing software to a distribution point. Packet A transmission unit of fixed maximum size that consists of binary information. This information represents both data and a header containing an ID number, source and destination addresses, and error-control data. Packet assembler/disassembler (PAD) A connection used in X.25 networks. X.25 PAD boards can be used in place of modems when provided with a compatible COM driver. Page fault An error that occurs when the requested code or data cannot be located in the physical memory that is available to the requesting process. Page-description language (PDL) A computer language that describes the arrangement of text and graphics on a printed page. Paging The process of moving virtual memory back and forth between physical memory and the disk. Paging occurs when physical memory limitations are reached and only occurs for data that is not already “backed” by disk space. For example, file data is not paged out because it already has allocated disk space within a file system.

Glossary 241

Paging file A hidden file on the hard disk that Windows 2000 uses to hold parts of programs and data files that do not fit in memory. The paging file and physical memory, or RAM, comprise virtual memory. Windows 2000 moves data from the paging file to memory as needed and moves data from memory to the paging file to make room for new data. Also called a swap file. Parallel connection A connection that simultaneously transmits both data and control bits over wires connected in parallel. In general, a parallel connection can move data between devices faster than a serial connection. Parallel device A device that uses a parallel connection. Parallel ports The input/output connector for a parallel interface device. Printers are generally plugged into a parallel port. Parent object The object that is the immediate superior of another object in a hierarchy. A parent object can have multiple subordinate, or child, objects. In Active Directory, the schema determines what objects can be parent objects of what other objects. Depending on its class, a parent object can be the child of another object. Partition A logical division of a hard disk. Partitions make it easier to organize information. Each partition can be formatted for a different file system. A partition must be completely contained on one physical disk, and the partition table in the Master Boot Record for a physical disk can contain up to four entries for partitions. Password authentication protocol (PAP) A simple, plaintext authentication scheme for authenticating PPP connections. The user name and password are requested by the remote access server and returned by the remote access client in plaintext.


Path A sequence of directory (or folder) names that specifies the location of a directory, file, or folder within the Windows directory tree. Each directory name and file name within the path must be preceded by a backslash (\). For example, to specify the path of a file named Readme.doc located in the Windows directory on drive C, type C:\Windows\Readme.doc. PC Card A removable device, approximately the size of a credit card, that can be plugged into a PCMCIA (Personal Computer Memory Card International Association) slot in a portable computer. PCMCIA devices can include modems, network adapters, and hard disk drives. PCNFS Daemon (PCNFSD) A program that receives requests from PC-NFS clients for authentication on remote machines. Performance counter In System Monitor, a data item associated with a performance object. For each counter selected, System Monitor presents a value corresponding to a particular aspect of the performance that is defined for the performance object. Performance object In System Monitor, a logical collection of counters that is associated with a resource or service that can be monitored. See also performance counter. Peripheral A device, such as a disk drive, printer, modem, or joystick, that is connected to a computer and is controlled by the computer’s microprocessor. Peripheral component interconnect (PCI) A specification introduced by Intel Corporation that defines a local bus system that allows up to 10 PCI-compliant expansion cards to be installed in the computer. Permission A rule associated with an object to regulate which users can gain access to the object and in what manner. Permissions are granted or denied by the object’s owner.

Glossary 243

Physical location The location designation assigned to media managed by Removable Storage. The two classes of physical locations include libraries and offline media physical locations. The offline media physical location is where Removable Storage lists the cartridges that are not in a library. The physical location of cartridges in an online library is the library in which it resides. Physical media A storage object that data can be written to, such as a disk or magnetic tape. A physical medium is referenced by its physical media ID (PMID). Physical object An object, such as an ATM card or smart card used in conjunction with a piece of information, such as a PIN number, to authenticate users. In twofactor authentication, physical objects are used in conjunction with another secret piece of identification, such as a password, to authenticate users. In two-factor authentication, the physical object might be an ATM card that is used in combination with a PIN to authenticate the user. Ping A tool that verifies connections to one or more remote hosts. The ping command uses the ICMP Echo Request and Echo Reply packets to determine whether a particular IP system on a network is functional. Ping is useful for diagnosing IP network or router failures. Pinning To make a network file or folder available for offline use. Plaintext Data that is not encrypted. Sometimes also called clear text. Plug and Play A set of specifications developed by Intel that allows a computer to automatically detect and configure a device and install the appropriate device drivers.


Point and Print A way of installing network printers on a user’s local computer. Point and Print allows users to initiate a connection to a network printer and loads any required drivers onto the client’s computer. When users know which network printer they want to use, Point and Print greatly simplifies the installation process. Point of presence (POP) The local access point for a network provider. Each POP provides a telephone number that allows users to make a local call for access to online services. Point-to-Point Protocol (PPP) An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams. PPP is documented in RFC 1661. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that encapsulates Point-to-Point Protocol (PPP) frames into IP datagrams for transmission over an IP-based internetwork, such as the Internet or a private intranet. Portable Operating System Interface for UNIX (POSIX) An IEEE (Institute of Electrical and Electronics Engineers) standard that defines a set of operating-system services. Programs that adhere to the POSIX standard can be easily ported from one system to another. POSIX was based on UNIX system services, but it was created in a way that allows it to be implemented by other operating systems. PostScript A page-description language (PDL) developed by Adobe Systems for printing with laser printers. PostScript offers flexible font capability and high-quality graphics. It is the standard for desktop publishing because it is supported by imagesetters, the high-resolution printers used by printing services for commercial typesetting.

Glossary 245

Power-on self test (POST) A set of routines stored in read-only memory (ROM) that tests various system components such as RAM, the disk drives, and the keyboard, to see if they are properly connected and operating. If problems are found, these routines alert the user with a series of beeps or a message, often accompanied by a diagnostic numeric value. If the POST is successful, it passes control to the bootstrap loader. Primary partition A volume created using unallocated space on a basic disk. Windows 2000 and other operating systems can start from a primary partition. As many as four primary partitions can be created on a basic disk, or three primary partitions and an extended partition. Primary partitions can be created only on basic disks and cannot be subpartitioned. Printer control language (PCL) The page-description language (PDL) developed by Hewlett Packard for their laser and inkjet printers. Because of the widespread use of laser printers, this command language has become a standard in many printers. Priority A precedence ranking that determines the order in which the threads of a process are scheduled for the processor. Priority inversion The mechanism that allows low-priority threads to run and complete execution rather than being preempted and locking up a resource such as an I/O device. Private branch exchange (PBX) An automatic telephone switching system that enables users within an organization to place calls to each other without going through the public telephone network. Users can also place calls to outside numbers. Private key The secret half of a cryptographic key pair that is used with a public key algorithm. Private keys are typically used to digitally sign data and to decrypt data that has been encrypted with the corresponding public key.


Privilege A user’s right to perform a specific task, usually one that affects an entire computer system rather than a particular object. Administrators assign privileges to individual users or groups of users as part of the security settings for the computer. Privileged mode Also known as kernel mode, the processing mode that allows code to have direct access to all hardware and memory in the system. Process throttling A method of restricting the amount of processor time a process consumes, for example, using job object functions. Processor queue An instantaneous count of the threads that are ready to run on the system but are waiting because the processor is running other threads. Protocol A set of rules and conventions by which two computers pass messages across a network. Networking software usually implements multiple levels of protocols layered one on top of another. Windows NT and Windows 2000 include NetBEUI, TCP/IP, and IPX/SPX-compatible protocols. Proxy server A firewall component that manages Internet traffic to and from a local area network and can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as a popular Web page, and can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files. Public key The non-secret half of a cryptographic key pair that is used with a public key algorithm. Public keys are typically used to verify digital signatures or decrypt data that has been encrypted with the corresponding private key.

Glossary 247

Public key cryptography A method of cryptography in which two different but complimentary keys are used: a public key and a private key for providing security functions. Public key cryptography is also called asymmetric key cryptography. Public switched telephone network (PSTN) Standard analog telephone lines, available worldwide.


Q QoS Admission Control Service A software service that controls bandwidth and network resources on the subnet to which it is assigned. Important applications can be given more bandwidth, less important applications less bandwidth. The QoS Admission Control Service can be installed on any network-enabled computer running Windows 2000. Quality of Service (QoS) A set of quality assurance standards and mechanisms for data transmission, implemented in Windows 2000. Quantum Also known as a time slice, the maximum amount of time a thread can run before the system checks for another ready thread of the same priority to run. Quarter-inch cartridge (QIC) An older storage technology used with tape backup drives and cartridges. A means of backing up data on computer systems, QIC represents a set of standards devised to enable tapes to be used with drives from different manufacturers. The QIC standards specify the length of tape, the number of recording tracks, and the magnetic strength of the tape coating, all of which determine the amount of information that can be written to the tape. Older QIC-80 drives can hold up to 340 MB of compressed data. Newer versions can hold more than 1 GB of information.

Glossary 249

R RAID-5 volume A fault-tolerant volume with data and parity striped intermittently across three or more physical disks. Parity is a calculated value that is used to reconstruct data after a failure. If a portion of a physical disk fails, you can recreate the data that was on the failed portion from the remaining data and parity. Also known as a striped volume with parity. Raster fonts Fonts that are stored as bitmaps; also called bit-mapped fonts. Raster fonts are designed with a specific size and resolution for a specific printer and cannot be scaled or rotated. If a printer does not support raster fonts, it will not print them. Rate counter Similar to an averaging counter, a counter type that samples an increasing count of events over time; the change in the count is divided by the change in time to display a rate of activity. Read-only memory (ROM) A semiconductor circuit that contains information that cannot be modified. Recoverable file system A file system that ensures that if a power outage or other catastrophic system failure occurs, the file system will not be corrupted and disk modifications will not be left incomplete. The structure of the disk volume is restored to a consistent state when the system restarts. Recovery Console A startable, text-mode command interpreter environment separate from the Windows 2000 command prompt that allows the system administrator access to the hard disk of a computer running Windows 2000, regardless of the file format used, for basic troubleshooting and system maintenance tasks.


Redundant array of independent disks (RAID) A method used to standardize and categorize fault-tolerant disk systems. Six levels gauge various mixes of performance, reliability, and cost. Windows 2000 provides three of the RAID levels: Level 0 (striping) which is not faulttolerant, Level 1 (mirroring), and Level 5 (striped volume with parity). Registry In Windows 2000, Windows NT, Windows 98, and Windows 95, a database of information about a computer’s configuration. The registry is organized in a hierarchical structure and consists of subtrees and their keys, hives, and entries. Relative ID (RID) The part of a security ID (SID) that uniquely identifies an account or group within a domain. Remote access server A Windows 2000 Server-based computer running the Routing and Remote Access service and configured to provide remote access. Remote procedure call (RPC) A message-passing facility that allows a distributed application to call services that are available on various computers in a network. Used during remote administration of computers. Removable Storage A service used for managing removable media (such as tapes and discs) and storage devices (libraries). Removable Storage allows applications to access and share the same media resources. Reparse points New NTFS file system objects that have a definable attribute containing user-controlled data and are used to extend functionality in the input/output (I/O) subsystem. RepeatKeys A feature that allows users with mobility impairments to adjust the repeat rate or to disable the key-repeat function on the keyboard. Request for Comments (RFC) A document that defines a standard. RFCs are published by the Internet Engineering Task Force (IETF) and other working groups.

Glossary 251

Resident attribute A file attribute whose value is wholly contained in the file’s file record in the master file table (MFT). Resolver DNS client programs used to look up DNS name information. Resolvers can be either a small “stub” (a limited set of programming routines that provide basic query functionality) or larger programs that provide additional lookup DNS client functions, such as caching. Resource publishing The process of making an object visible and accessible to users in a Windows 2000 domain. For example, a shared printer resource is published by creating a reference to the printer object in Active Directory. Resource record (RR) Information in the DNS database that can be used to process client queries. Each DNS server contains the resource records it needs to answer queries for the portion of the DNS namespace for which it is authoritative. Response time The amount of time required to do work from start to finish. In a client/server environment, this is typically measured on the client side. RGB The initials of red, green, blue. Used to describe a color monitor or color value. Roaming user profile A server-based user profile that is downloaded to the local computer when a user logs on and is updated both locally and on the server when the user logs off. A roaming user profile is available from the server when logging on to any computer that is running Windows 2000 Professional or Windows 2000 Server. Router A network device that helps LANs and WANs achieve interoperability and connectivity and that can link LANs that have different network topologies, such as Ethernet and Token Ring.


Routing The process of forwarding a packet through an internetwork from a source host to a destination host. Routing Information Protocol (RIP) An industry standard distance vector routing protocol used in small to medium sized IP and IPX internetworks. Routing table A database of routes containing information on network IDs, forwarding addresses, and metrics for reachable network segments on an internetwork. Rules An IPSec policy mechanism that governs how and when an IPSec policy protects communication. A rule provides the ability to trigger and control secure communication based on the source, destination, and type of IP traffic. Each rule contains a list of IP filters and a collection of security actions that take place upon a match with that filter list.

Glossary 253

S Safe Mode A method of starting Windows 2000 using basic files and drivers only, without networking. Safe Mode is available by pressing the F8 key when prompted during startup. This allows the computer to start when a problem prevents it from starting normally. Screen-enlargement utility A utility that allows the user to magnify a portion of the screen for greater visibility. (Also called a screen magnifier or large-print program.) Script A type of program consisting of a set of instructions to an application or utility program. A script usually expresses instructions by using the application’s or utility’s rules and syntax, combined with simple control structures such as loops and if/then expressions. “Batch program” is often used interchangeably with “script” in the Windows environment. SCSI connection A standard high-speed parallel interface defined by the X3T9.2 committee of the American National Standards Institute (ANSI). A SCSI interface is used to connect microcomputers to SCSI peripheral devices, such as many hard disks and printers, and to other computers and local area networks. Search filter An argument in an LDAP search that allows certain entries in the subtree and excludes others. Filters allow you to define search criteria and give you better control to achieve more effective and efficient searches. Secure Sockets Layer (SSL) A proposed open standard developed by Netscape Communications for establishing a secure communications channel to prevent the interception of critical information, such as credit card numbers. Primarily, it enables secure electronic financial transactions on the World Wide Web, although it is designed to work on other Internet services as well.


Security Accounts Manager (SAM) A protected subsystem that manages user and group account information. In Windows NT 4.0, both local and domain security principals are stored by SAM in the registry. In Windows 2000, workstation security accounts are stored by SAM in the local computer registry, and domain controller security accounts are stored in Active Directory. Security association (SA) A set of parameters that define the services and mechanisms necessary to protect Internet Protocol security communications. Security descriptor A data structure that contains security information associated with a protected object. Security descriptors include information about who owns the object, who may access it and in what way, and what types of access will be audited. Security event types Different categories of events about which Windows 2000 can create auditing events. Account logon or object access are examples of security event types. Security ID (SID) A data structure of variable length that uniquely identifies user, group, service, and computer accounts within an enterprise. Every account is issued a SID when the account is first created. Access control mechanisms in Windows 2000 identify security principals by SID rather than by name. Security method A process that determines the Internet Protocol security services, key settings, and algorithms that will be used to protect the data during the communication. Security Parameters Index (SPI) A unique, identifying value in the SA used to distinguish among multiple security associations existing at the receiving computer.

Glossary 255

Security principal An account-holder, such as a user, computer, or service. Each security principal within a Windows 2000 domain is identified by a unique security ID (SID). When a security principal logs on to a computer running Windows 2000, the Local Security Authority (LSA) authenticates the security principal’s account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this security principal will have a copy of its access token. Security principal name A name that uniquely identifies a user, group, or computer within a single domain. This name is not guaranteed to be unique across domains. Seek time The amount of time required for a disk head to position itself at the right disk cylinder to access requested data. Serial Bus Protocol (SBP-2) A standard for storage devices, printers, and scanners that is a supplement to the IEEE 1394 specification. Serial connection A connection that exchanges information between computers or between computers and peripheral devices one bit at a time over a single channel. Serial communications can be synchronous or asynchronous. Both sender and receiver must use the same baud rate, parity, and control information. Serial device A device that uses a serial connection. SerialKeys A Windows feature that uses a communications aid interface device to allow keystrokes and mouse controls to be accepted through a computer’s serial port. Server A computer that provides shared resources to network users.


Server Message Block (SMB) A file-sharing protocol designed to allow networked computers to transparently access files that reside on remote systems over a variety of networks. The SMB protocol defines a series of commands that pass information between computers. SMB uses four message types: session control, file, printer, and message. Service access point A logical address that allows a system to route data between a remote device and the appropriate communications support. Service Pack A software upgrade to an existing software distribution that contains updated files consisting of patches and fixes. Service Profile Identifier (SPID) A 14-digit number that identifies a specific ISDN line. When establishing ISDN service, your telephone company assigns a SPID to your line. Service provider In TAPI, a dynamic link library (DLL) that provides an interface between an application requesting services and the controlling hardware device. TAPI supports two classes of service providers, media service providers and telephony service providers. Session key A key used primarily for encryption and decryption. Session keys are typically used with symmetric encryption algorithms where the same key is used for both encryption and decryption. For this reason, session and symmetric keys usually refer to the same type of key. Sfmmon A port monitor that is used to send jobs over the AppleTalk protocol to printers such as LaserWriters or those configured with AppleTalk or any AppleTalk spoolers. Shared folder permissions Permissions that restrict a shared resource’s availability over the network to certain users. Shiva Password Authentication Protocol (SPAP) A two-way, reversible encryption mechanism for authenticating PPP connections employed by Shiva remote access servers.

Glossary 257

Shortcut key navigation indicators Underlined letters on a menu or control. (Also called access keys or quickaccess letters.) ShowSounds A global flag that instructs programs to display captions for speech and system sounds to alert users with hearing impairments or people who work in a noisy location such as a factory floor. Simple Mail Transfer Protocol (SMTP) A protocol used on the Internet to transfer mail. SMTP is independent of the particular transmission subsystem and requires only a reliable, ordered, data stream channel. Simple Network Management Protocol (SNMP) A network management protocol installed with TCP/IP and widely used on TCP/IP and Internet Package Exchange (IPX) networks. SNMP transports management information and commands between a management program run by an administrator and the network management agent running on a host. The SNMP agent sends status information to one or more hosts when the host requests it or when a significant event occurs. Single-switch device An alternative input device, such as a voice activation program, that allows a user to scan or select using a single switch. Slot Storage locations for cartridges in a library managed by Removable Storage. SlowKeys A Windows feature that instructs the computer to disregard keystrokes that are not held down for a minimum period of time, which allows the user to brush against keys without any effect. Small Computer System Interface (SCSI) A standard high-speed parallel interface defined by the X3T9.2 committee of the American National Standards Institute (ANSI). A SCSI interface is used for connecting microcomputers to peripheral devices, such as hard disks and printers, and to other computers and local area networks.


Small Office/Home Office (SOHO) An office with a few computers that can be considered a small business or part of a larger network. Smart card A credit card-sized device that is used with a PIN number to enable certificate-based authentication and single sign-on to the enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card. Software trap In programming, an event that occurs when a microprocessor detects a problem with executing an instruction, which causes it to stop. SoundSentry A Windows feature that produces a visual cue, such as a screen flash or a blinking title bar instead of system sounds. Source directory The folder that contains the file or files to be copied or moved. Sparse file A file that is handled in a way that requires less disk space than would otherwise be needed by allocating only meaningful non-zero data. Sparse support allows an application to create very large files without committing disk space for every byte. Speech synthesizer An assistive device that produces spoken words, either by splicing together prerecorded words or by programming the computer to produce the sounds that make up spoken words. Stand-alone drive An online drive that is not part of a library unit. Removable Storage treats stand-alone drives as online libraries with one drive and a port.

Glossary 259

Status area The area on the taskbar to the right of the taskbar buttons. The status area displays the time and can also contain icons that provide quick access to programs, such as Volume Control and Power Options. Other icons can appear temporarily, providing information about the status of activities. For example, the printer icon appears after a document has been sent to the printer and disappears when printing is complete. StickyKeys An accessibility feature built into Windows that causes modifier keys such as SHIFT, CTRL, WINDOWS LOGO, or ALT to stay on after they are pressed, eliminating the need to press multiple keys simultaneously. This feature facilitates the use of modifier keys for users who are unable to hold down one key while pressing another. Stop error A serious error that affects the operating system and that could place data at risk. The operating system generates an obvious message, a screen with the Stop message, rather than continuing on, and possibly corrupting data. Also known as a fatal system error. Stop message A character-based, full-screen error message displayed on a blue background. A Stop message indicates that the Windows 2000 kernel detected a condition from which it cannot recover. Each message is uniquely identified by a Stop error code (a hexadecimal number) and a string indicating the error’s symbolic name. Stop messages are usually followed by up to four additional hexadecimal numbers, enclosed in parentheses, which identify developerdefined error parameters. A driver or device may be identified as the cause of the error. A series of troubleshooting tips are also displayed, along with an indication that, if the system was configured to do so, a memory dump file was saved for later use by a kernel debugger.


Streaming media servers Software (such as Microsoft Media Technologies) that provides multimedia support, allowing you to deliver content by using Advanced Streaming Format over an intranet or the Internet. Streams A sequence of bits, bytes, or other small structurally uniform units. Striped volume A volume that stores data in stripes on two or more physical disks. Data in a striped volume is allocated alternately and evenly (in stripes) to these disks. Striped volumes offer the best performance of all volumes available in Windows 2000, but they do not provide fault tolerance. If a disk in a striped volume fails, the data in the entire volume is lost. You can create striped volumes only on dynamic disks. Striped volumes cannot be mirrored or extended. In Windows NT 4.0, a striped volume was known as a stripe set. Subkey In the registry, a key within a key. Subkeys are analogous to subdirectories in the registry hierarchy. Keys and subkeys are similar to the section header in .ini files; however, subkeys can carry out functions. Subnet A subdivision of an IP network. Each subnet has its own unique subnetted network ID. Subnet mask A 32-bit value expressed as four decimal numbers from 0 to 255, separated by periods (for example, 255.255.0.0). This number allows TCP/IP to determine the network ID portion of an IP address. Subnet prioritization The ordering of multiple IP address mappings from a DNS server so that the resolver orders local resource records first. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them.

Glossary 261

Subpicture A data stream contained within a DVD. The Subpicture stream delivers the subtitles and any other add-on data, such as system help or director’s comments, which can be displayed while playing multimedia. Symmetric key A single key that is used with symmetric encryption algorithms for both encryption and decryption. Symmetric key encryption An encryption algorithm that requires the same secret key to be used for both encryption and decryption. This is often called secret key encryption. Because of its speed, symmetric encryption is typically used rather than public key encryption when a message sender needs to encrypt large amounts of data. Synchronization Manager In Windows 2000, the tool used to ensure that a file or directory on a client computer contains the same data as a matching file or directory on a server. Syntax The order in which a command must be typed and the elements that follow the command. System access control list (SACL) The part of an object’s security descriptor that specifies which events are to be audited per user or group. Examples of auditing events are file access, logon attempts, and system shutdowns. System administrator A person that administers a computer system or network, including administering user accounts, security, storage space, and backing up data. System files Files that are used by Windows to load, configure, and run the operating system. Generally, system files must never be deleted or moved.


System media pool A pool used to hold cartridges that are not in use. The free pool holds unused cartridges that are available to applications, and the unrecognized and import pools are temporary holding places for cartridges that have been newly placed in a library. System policy In network administration, the part of Group Policy that is concerned with the current user and local computer settings in the registry. In Windows 2000, system policy is sometimes called software policy and is one of several services provided by Group Policy, a Microsoft Management Console (MMC) snap-in. The Windows NT 4.0 System Policy Editor, Poledit.exe, is included with Windows 2000 for backward compatibility. That is, administrators need it to set system policy on Windows NT 4.0 and Windows 95 computers. System Policy Editor The utility Poledit.exe, used by administrators to set system policy on Windows NT 4.0 and Windows 95 computers. System state data A collection of system-specific data that can be backed up and restored. For all Windows 2000 operating systems, the System State data includes the registry, the class registration database, and the system boot files. System volume The volume that contains the hardware-specific files needed to load Windows 2000. The system volume can be (but does not have to be) the same volume as the boot volume. Systemroot The path and folder name where the Windows 2000 system files are located. Typically, this is C:\Winnt, although a different drive or folder can be designated when Windows 2000 is installed. The value %systemroot% can be used to replace the actual location of the folder that contains the Windows 2000 system files. To identify your systemroot folder, click Start, click Run, and then type %systemroot%.

Glossary 263

T Taskbar The bar that contains the Start button and appears by default at the bottom of the desktop. You can use the taskbar buttons to switch between the programs you are running. The taskbar can be hidden, moved to the sides or top of the desktop, or customized in other ways. Taskbar button A button that appears on the taskbar when an application is running. Tcpmon.ini The file that specifies whether a device supports multiple ports. If the Tcpmon.ini file indicates that a device can support multiple ports, users a prompted to pick which port should be used during device installation. Telephony API (TAPI) An application programming interface (API) used by communications programs to communicate with telephony and network services. Terabyte Approximately one trillion bytes, or one million million bytes. Terminal Services Software services that allow client applications to be run on a server so that client computers can function as terminals rather than independent systems. The server provides a multisession environment and runs the Windowsbased programs being used on the clients. Thread A type of object within a process that runs program instructions. Using multiple threads allows concurrent operations within a process and enables one process to run different parts of its program on different processors simultaneously. A thread has its own set of registers, its own kernel stack, a thread environment block, and a user stack in the address space of its process.


Thread state A numeric value indicating the execution state of the thread. Numbered 0 through 5, the states seen most often are 1 for ready, 2 for running, and 5 for waiting. Throughput For disks, the transfer capacity of the disk system. Time To Live (TTL) A timer value included in packets sent over TCP/IP-based networks that tells the recipients how long to hold or use the packet or any of its included data before expiring and discarding the packet or data. For DNS, TTL values are used in resource records within a zone to determine how long requesting clients should cache and use this information when it appears in a query response answered by a DNS server for the zone. Timer bar The colored bar that moves across the screen according to the frequency of the data-collection update interval. ToggleKeys A Windows feature that beeps when one of the locking keys (CAPS LOCK, NUM LOCK, or SCROLL LOCK) is turned on or off. Token Ring A type of network media that connects clients in a closed ring and uses token passing to allow clients to use the network. Total instance A unique instance that contains the performance counters that represent the sum of all active instances of an object. Transitive trust relationship The trust relationship that inherently exists between Windows 2000 domains in a domain tree or forest, or between trees in a forest, or between forests. When a domain joins an existing forest or domain tree, a transitive trust is automatically established. In Windows 2000 transitive trusts are always twoway relationships.

Glossary 265

Transmission Control Protocol / Internet Protocol (TCP/IP) A set of software networking protocols widely used on the Internet that provide communications across interconnected networks of computers with diverse hardware architectures and operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. Transmitting Station ID string (TSID) A string that specifies the Transmitter Subscriber ID sent by the fax machine when sending a fax to a receiving machine. This string is usually a combination of the fax or telephone number and the name of the business. It is often the same as the Called Subscriber ID. Transport Layer Security (TLS) A standard protocol that is used to provide secure Web communications on the Internet or intranets. It enables clients to authenticate servers or, optionally, servers to authenticate clients. It also provides a secure channel by encrypting communications. Transport protocol A protocol that defines how data should be presented to the next receiving layer in the Windows NT and Windows 2000 networking model and packages the data accordingly. The transport protocol passes data to the network adapter driver through the network driver interface specification (NDIS) interface and to the redirector through the Transport Driver Interface (TDI). TrueType fonts Fonts that are scalable and sometimes generated as bitmaps or soft fonts, depending on the capabilities of your printer. TrueType fonts are deviceindependent fonts that are stored as outlines. They can be sized to any height, and they can be printed exactly as they appear on the screen. Trusted forest A forest that is connected to another forest by explicit or transitive trust.


Trust relationship A logical relationship established between domains that allows pass-through authentication in which a trusting domain honors the logon authentications of a trusted domain. User accounts and global groups defined in a trusted domain can be granted rights and permissions in a trusting domain, even though the user accounts or groups do not exist in the trusting domain’s directory. Tunnel The logical path by which the encapsulated packets travel through the transit internetwork. TWAIN An acronym for Technology Without An Interesting Name. An industrystandard software protocol and API that provides easy integration of image data between input devices, such as scanners and still image digital cameras, and software applications. Two-way trust relationship A link between domains in which each domain trusts user accounts in the other domain to use its resources. Users can log on from computers in either domain to the domain that contains their account. Type 1 fonts Scalable fonts designed to work with PostScript devices.

Glossary 267

U Unallocated space Available disk space that is not allocated to any partition, logical drive, or volume. The type of object created on unallocated space depends on the disk type (basic or dynamic). For basic disks, unallocated space outside partitions can be used to create primary or extended partitions. Free space inside an extended partition can be used to create a logical drive. For dynamic disks, unallocated space can be used to create dynamic volumes. Unlike basic disks, the exact disk region used is not selected to create the volume. Unicode A fixed-width, 16-bit character-encoding standard capable of representing the letters and characters of the majority of the world’s languages. A consortium of U.S. computer companies developed Unicode. UniDriver The UniDriver (or Universal Print Driver) carries out requests (such as printing text, rendering bitmaps, or advancing a page) on most types of printers. The UniDriver accepts information from a printer specific minidriver and uses this information to complete tasks. Uniform Resource Locator (URL) An address that uniquely identifies a location on the Internet. A URL for a World Wide Web site is preceded with http://, as in the fictitious URL http://www.example.microsoft.com/. A URL can contain more detail, such as the name of a page of hypertext, usually identified by the file name extension .html or .htm. Universal Asynchronous Receiver/Transmitter (UART) An integrated circuit (silicon chip) that is commonly used in microcomputers to provide asynchronous communications. The UART does parallel-to-serial conversion of data to be transmitted and serial-to-parallel conversion of data received.


Universal Disk Format (UDF) A file system defined by the Optical Storage Technology Association (OSTA) that is the successor to the CD-ROM file system (CDFS). UDF is targeted for removable disk media like DVD, CD, and Magneto-Optical (MO) discs. Universal group A Windows 2000 group only available in native mode that is valid anywhere in the forest. A universal group appears in the Global Catalog but contains primarily global groups from domains in the forest. This is the simplest form of group and can contain other universal groups, global groups, and users from anywhere in the forest. Universal Naming Convention (UNC) A convention for naming files and other resources beginning with two backslashes (\), indicating that the resource exists on a network computer. UNC names conform to the \\SERVERNAME\SHARENAME syntax, where SERVERNAME is the server’s name and SHARENAME is the name of the shared resource. The UNC name of a directory or file can also include the directory path after the share name, with the following syntax: \\SERVERNAME\SHARENAME\DIRECTORY\FILENAME. Universal Serial Bus (USB) A serial bus with a bandwidth of 1.5 megabits per second (Mbps) for connecting peripherals to a microcomputer. USB can connect up to 127 peripherals, such as external CD-ROM drives, printers, modems, mice, and keyboards, to the system through a single, general-purpose port. This is accomplished by daisy chaining peripherals together. USB supports hot plugging and multiple data streams. UNIX A powerful, multi-user, multitasking operating system initially developed at AT&T Bell Laboratories in 1969 for use on minicomputers. UNIX is considered more portable—that is, less computer-specific—than other operating systems because it is written in C language. Newer versions of UNIX have been developed at the University of California at Berkeley and by AT&T.

Glossary 269

Unrecognized pool A repository for blank media and media that are not recognized by Removable Storage. Upgrade When referring to software, to update existing program files, folders, and registry entries to a more recent version. Upgrading, unlike performing a new installation, leaves existing settings and files in place. User account A record that consists of all the information that defines a user to Windows 2000. This includes the user name and password required for the user to log on, the groups in which the user account has membership, and the rights and permissions the user has for using the computer and network and accessing their resources. For Windows 2000 Professional and member servers, user accounts are managed by using Local Users and Groups. For Windows 2000 Server domain controllers, user accounts are managed by using Microsoft Active Directory Users and Computers. User Identification (UID) A user identifier that uniquely identifies a user. UNIX-bases systems use the UID to identify the owner of files and processes, and to determine access permissions. User mode The processing mode in which applications run. User name A unique name identifying a user account to Windows 2000. An account’s user name must be unique among the other group names and user names within its own domain or workgroup.


User principal name (UPN) A friendly name assigned to security principals (users and groups) that is shorter than the distinguished name and easier to remember. The default user principal name is composed of the security principal name for the user and the DNS name of the root domain where the user object resides. The user principal name is the preferred logon name for Windows 2000 users and is independent of the distinguished name, so a User object can be moved or renamed without affecting the user’s logon name. User profile A file that contains configuration information for a specific user, such as desktop settings, persistent network connections, and application settings. Each user’s preferences are saved to a user profile that Windows NT and Windows 2000 use to configure the desktop each time a user logs on. User rights Tasks a user is permitted to perform on a computer system or domain. There are two types of user rights: privileges and logon rights. An example of a privilege is the right to shut down the system. An example of a logon right is the right to log on to a computer locally (at the keyboard). Administrators assign both types to individual users or groups as part of the security settings for the computer. User rights policy Security settings that manage the assignment of rights to groups and user accounts. Utility Manager A function of Windows 2000 that allows administrators to review the status of applications and tools and to customize features and add tools more easily.

Glossary 271

V Value bar The area of the System Monitor graph or histogram display that shows last, average, minimum and maximum statistics for the selected counter. Vector fonts Fonts rendered from a mathematical model, in which each character is defined as a set of lines drawn between points. Vector fonts can be cleanly scaled to any size or aspect ratio. Video for Windows (VfW) A format developed by Microsoft for storing video and audio information. Files in this format have an .avi extension. AVI files are limited to 320 x 240 resolution at 30 frames per second, neither of which is adequate for fullscreen, full-motion video. Video Port Extensions (VPE) A DirectDraw extension to support direct hardware connections from a video decoder and autoflipping in the graphics frame buffer. VPE allows the client to negotiate the connection between the MPEG or NTSC decoder and the video port. VPE also allows the client to control effects in the video stream, such as cropping, scaling, and so on. Virtual Device Driver (VxD) Software for Windows that manages a hardware or software system resource. The middle letter in the abbreviation indicates the type of device; x is used where the type of device is not under discussion. Virtual memory The space on the hard disk that Windows 2000 uses as memory. Because of virtual memory, the amount of memory taken from the perspective of a process can be much greater than the actual physical memory in the computer. The operating system does this in a way that is transparent to the application, by paging data that does not fit in physical memory to and from the disk at any given instant.


Virtual private network (VPN) The extension of a private network that encompasses links across shared or public networks, such as the Internet. Virus scanner Software used to scan for and eradicate computer viruses, worms, and Trojan horses. Volume A portion of a physical disk that functions as though it were a physically separate disk. In My Computer and Windows Explorer, volumes appear as local disks, such as drive C or drive D. Volume mount points New system objects in the version of NTFS included with Windows 2000 that represent storage volumes in a persistent, robust manner. Volume mount points allow the operating system to graft the root of a volume onto a directory.

Glossary 273

W WDM Streaming class The means by which Windows 2000 Professional supports digital video and audio. Enables support for such components as DVD decoders, MPEG decoders, video decoders, tuners, and audio codecs. Wide area network (WAN) A communications network connecting geographically separated computers, printers, and other devices. A WAN allows any connected device to interact with any other on the network. Windows 2000 MultiLanguage Version A version of Windows 2000 that extends the native language support in Windows 2000 by allowing user interface languages to be changed on a per user basis. This version also minimizes the number of language versions you need to deploy across the network. Windows File Protection (WFP) A Windows 2000 feature that runs in the background and protects your system files from being overwritten. When a file in a protected folder is modified, WFP determines if the new file is the correct Microsoft version or if the file is digitally signed. If not, the modified file is replaced with a valid version. Windows Internet Name Service (WINS) A software service that dynamically maps IP addresses to computer names (NetBIOS names). This allows users to access resources by name instead of requiring them to use IP addresses that are difficult to recognize and remember. WINS servers support clients running Windows NT 4.0 and earlier versions of Windows operating systems. Windows Update A Microsoft-owned Web site from which Windows 98 and Windows 2000 users can install or update device drivers. By using an ActiveX control, Windows Update compares the available drivers with those on the user’s system and offers to install new or updated versions.


Winsock An application programming interface standard for software that provides TCP/IP interface under Windows. Short for Windows Sockets. Work queue item A job request of an existing library, made by an application that supports Removable Storage, which is placed in a queue and processed when the library resource becomes available. Workgroup A simple grouping of computers intended only to help users find such things as printers and shared folders within that group. Workgroups in Windows 2000 do not offer the centralized user accounts and authentication offered by domains. Working set For a process, the amount of physical memory assigned to a process by the operating system.

Glossary 275

X X.25 X.25 is a standard that defines the communications protocol for access to packet-switched networks. X.400 What is an ISO and ITU standard for addressing and transporting e-mail messages. It conforms to layer 7 of the OSI model and supports several types of transport mechanisms, including Ethernet, X.25, TCP/IP, and dialup lines. X.500 The X.500 is the standard for defining a distributed directory service standard and was developed by the International Standards Organization (ISO). This ISO and ITU standard defines how global directories should be structured. X.500 directories are hierarchical, which means that they have different levels for each category of information, such as country, state, and city. X.500 supports X.400 systems. X Window System X Windows is a standard set of display-handling routines developed at MIT for UNIX workstations. These routines are used to create hardwareindependent graphical user interfaces for UNIX systems.


Y Ymodem Ymodem is a variation of the Xmodem file transfer protocol that includes the following enhancements: 1. The ability to transfer information in 1-kilobyte (1,024-byte) blocks 2. The ability to send multiple files (batch file transmission) 3. Cyclical redundancy checking (CRC) 4. The ability to abort transfer by transmitting two CAN (cancel) characters in a row.

Glossary 277

Z ZIPI A MIDI-like serial data format for musical instruments. ZIPI provides a hierarchical method for addressing instruments and uses an extensible command set. Zero Wait State The condition of random access memory (RAM) that is fast enough to respond to the processor without requiring a wait states. Z axis (X axis) Used in defining specific graphical display locations. The optical axis that is perpendicular to X and Y axes.


Index 279

Index -AAC-3, 181 Accelerated Graphics Port (AGP), 181 Access Control Entry (ACE), 181 Access Control List (ACL), 181 Access Mask, 181 Access Token, 181 Accessibility, 182 Accessibility Status Indicators, 182 Accessibility Wizard, 182 Active Accessibility, 182 ActiveX, 182 Administrator, 182 Advanced Configuration and Power Interface (ACPI), 183 Advanced Power Management (APM), 183 Advertisement, 183 Allocation Unit, 183 American Standard Code For Information Interchange (ASCII), 183 Answer File, 184 Application Media Pool, 184 Application Programming Interface (API), 184 Architecture, 81, 101, 163, 164 Asymmetric Digital Subscriber Line (ADSL), 130, 178 Asynchronous Communication, 184 Asynchronous Transfer Mode (ATM), 4, 7, 58, 63, 184 Attribute (Object), 185 Auditing, 102, 104, 160, 162, 185 Authentication, 185

Authentication Header (AH), 185 Authoritative, 185 Automated Installation, 185 Automatic Caching, 185 Automatic Private IP Addressing (APIPA), 186 Available State, 186 Averaging Counter, 186 -BBackup Operator, 187 Backup Types, 187 Bad Block, 187 Bandwidth, 60, 79, 158, 187 Barcode, 187 Base File Record, 187 Baseline, 188 Basic Disk, 188 Basic Input/Output System (BIOS), 188 Basic Volume, 188 Batch Program, 188 Bidirectional Communication, 188 Binding, 189 Binding Order, 189 BIOS Parameter Block (BPB), 189 Boot Sector, 189 Bootable CD, 189 Bottleneck, 189 BounceKeys, 189 Bound Trap, 189 Browsing, 190 Bulk Encryption, 190 -CCable Modem, 191 Cache, 191

280 Index: 70-219 Certification

Cache File, 191 Caching, 191 Caching Resolver, 192 Callback Number, 191 CardBus, 192 Cartridge, 192 Central Processing Unit (CPU), 53, 76, 146, 154, 192 Certificate, 192 Certificate Services, 192 Certification Authority (CA), 193 Certified-for-Windows Logo, 193 Challenge Handshake Authentication Protocol (CHAP), 193 Change Journal, 193 Changer, 193 Child Object, 193 CIM (COM Information Model) Object Manager (CIMOM), 193 Ciphertext, 193 Client, 59, 69, 71, 103, 109, 161, 194 Cluster, 194 Cluster Remapping, 194 Code Page, 194 COM Port, 195 Commit a Transaction, 195 Common Internet File System (CIFS), 195 Compact Disc File System (CDFS), 195 Compact Disc Read-Only Memory (CD-ROM), 195 Compact Disc-Recordable (CD-R), 195 Compact Disc-Rewritable (CD-RW), 195

Complementary Metal-Oxide Semiconductor (CMOS), 195 Component Object Model (COM), 195 Computer Browser Service, 195 Confidentiality, 196 Connection, 129, 175 Console Tree, 196 Container Object, 196 Copy Backup, 196 -DDaily Backup, 197 Data Confidentiality, 197 Data Encryption Standard (Des), 197 Data Integrity, 197 Data Link Control (DLC), 197 Data Packet, 197 Deallocate, 197 Decommissioned State, 197 Decryption, 198 Default Gateway, 198 Defragmentation, 198 Desktop, 69, 198 Destination Directory, 198 Device, 198 Device Driver, 198 Device Manager, 198 Device Tree, 198 Differential Backup, 199 Digital, 199 Digital Audio Tape (DAT), 199 Digital Linear Tape (DLT), 199 Digital Signature, 199 Digital Subscriber Line (DSL), 16, 58, 199 Direct Hosting, 199 Direct Memory Access (DMA), 199

Index 281

Directory Service, 200 Disable, 200 Discretionary Access Control List (DACL), 200 Disk Bottleneck, 200 Disk Quota, 200 Dismount, 200 Distinguished Name, 200 Distributed File System (Dfs), 201 Distribution Folder, 201 DNS Server, 87, 111, 123, 201, 205 DNS Zone, 201 Domain Controller, 201 Domain Local Group, 202 Domain Name, 202 Domain Name System (DNS), 202 Domain Tree, 202 Dual Boot, 202 DVD, 202 DVD Decoder, 202 DVD Drive, 203 Dvorak Keyboard, 203 Dynamic Disk, 203 Dynamic Host Configuration Protocol (DHCP), 203 Dynamic Priority, 203 Dynamic Volume, 203 Dynamic-Link Library (DLL), 203 -EEmbedded Object, 204 Emergency Repair Disk (ERD), 204 Encapsulating Security Payload (ESP), 204 Encrypting File System (EFS), 204 Encryption, 204 Encryption Key, 205

Enhanced Integrated Drive Electronics (EIDE), 205 Enterprise Resource Planning (ERP), 205 Environment Variable, 205 Ethernet, 7, 61, 205 Exabyte, 205 Expire Interval, 205 Explicit Trust Relationship, 206 Export, 206 Extended Industry Standard Architecture (EISA), 206 Extended Partition, 206 Extensible Authentication Protocol (EAP), 206 Extensible Markup Language (XML), 13, 206 -FFAT32, 207 Fault Tolerance, 207 Fiber Distributed Data Interface (FDDI), 61, 207 File Allocation Table (FAT), 207 File Record, 207 File System, 207 File System Cache, 207 File Transfer Protocol (FTP), 207 Filter, 208 FilterKeys, 208 Firewall, 208 Folder Redirection, 118, 208 Forest, 37, 83, 208 Fragmentation, 208 Free Media Pool, 208 -GGatekeeper, 209


Gateway, 209 Global Catalog, 112, 117, 119, 208 Global Group, 209 Globally Unique Identifier (GUID), 210 Graphical Identification And Authentication (GINA), 210 Graphical User Interface (GUI), 210 Group, 69, 90, 96, 104, 122, 210 Group Identification (GID), 210 Group Memberships, 210 Group Policy, 90, 95, 108, 168, 183, 208, 210, 211, 262 Group Policy Object, 211 -HH.323, 212 Hardware Abstraction Layer (HAL), 212 Hardware Compatibility List (HCL), 77, 105, 157, 163, 212 Hardware Malfunction Message, 212 Hardware Profile, 212 Hardware Type, 213 Heartbeat Thread, 213 Hop, 213 Hosts, 213 Hot Keys, 213 Html+Time, 213 Human Interface Device (HID), 214 Hypertext Markup Language (HTML), 214 Hypertext Transfer Protocol (HTTP), 214 -II/O Request Packet (IRP), 215 IEEE 1284.4, 215 IEEE 1394 (Firewire), 215, 239, 255 Image Color Management (ICM), 215

Impersonation, 215 Import Media Pool, 215 Incremental Backup, 215 Independent Software Vendors (ISVs), 97, 215 Industry Standard Architecture (ISA), 216 Infrared (IR), 216 Infrared Data Association (IrDA), 216 Infrared Port, 216 Insert/Eject (IE) Port, 216 Instantaneous Counter, 217 Institute Of Electrical And Electronics Engineers (IEEE), 217 Integrated Device Electronics (IDE), 217 Integrated Services Digital Network (ISDN), 4, 16, 217 Integrity, 217 Intellimirror, 217 Interactive Logon, 218 Internet Control Message Protocol (ICMP), 218 Internet Information Services (IIS), 218 Internet Key Exchange (IKE), 218 Internet Locator Service (ILS), 218 Internet Printing Protocol (IPP), 218 Internet Protocol (IP), 218 Internet Protocol Security (IPSec), 218 Internet Service Provider (ISP), 29, 219 Internetwork Packet Exchange / Sequenced Packet Exchange (IPX/SPX), 219 Interrupt, 219 Interrupt Request (IRQ), 219 Intranet, 219 IP Address, 152, 153, 219

Index 283

IP Router, 198, 220 IPSec Driver, 220 IPSec Filter, 220 Ipsec Security Rules, 220 IrTran-p, 220 Isochronous, 220 -JJob Object, 221 -KKerberos Authentication Protocol, 222 Kernel, 222 Key, 222 Keyboard Filters, 222 -LLast Known Good Configuration, 223 Layer 2 Forwarding (L2F), 223 Layer Two Tunneling Protocol (L2TP), 223 Legend, 223 Library, 45, 136, 223 Library Request, 223 Lightweight Directory Access Protocol (LDAP), 93, 224 Lightweight Directory Access Protocol Application Programming Interface (LDAP API), 224 Line Printer Daemon (LPD), 224 Line Printer Port Monitor, 224 Line Printer Remote (LPR), 224 Linked Object, 224 Local Area Network (LAN), 4, 60, 225 Local Computer, 225 Local Group, 225 Local Security Authority (LSA), 225 Local User Profile, 225

Localmon.dll, 225 LocalTalk, 226 Locator Service, 226 Logical Drive, 226 Logical Volume, 226 Logon Script, 226 Long File Name (LFN), 227 Loopback Address, 227 -MMagazine, 228 Magneto-Optic (MO) Disk, 228 Magnifier, 228 Manual Caching, 228 Master Boot Record (MBR), 228 Master File Table (MFT), 228 Maximum Password Age, 228 Media, 228 Media Access Control (MAC), 228 Media Label Library, 228 Media Pool, 229 Media States, 229 Memory Leak, 229 Metric, 229 Microsoft Challenge Handshake Authentication Protocol Version 1 (MS-CHAP v1), 229 Microsoft Challenge Handshake Authentication Protocol Version 2 (MS-CHAP v2), 229 Microsoft Indexing Service, 230 Microsoft Internet Directory, 230 Microsoft Management Console (MMC), 230 Microsoft Point-to-Point Encryption (MPPE), 53, 149, 230 Microsoft Tape Format (MTF), 230


Minidrivers, 230 Minimum TTL, 231 Mirrored Volume, 231 Mixed Mode, 131, 178, 231 Mode Pruning, 231 Mount, 231 MouseKeys, 231 MP3, 232 MPEG-2, 232 MS-CHAPv2, 232 Multicast IP, 232 Multicasting, 232 Multihomed Computer, 232 Multiple Boot, 232 -NName Devolution, 233 Namespace, 233 Naming Service, 233 Narrator, 233 Native Mode, 131, 178, 233 NDIS Miniport Drivers, 233 Nested Groups, 234 NetBIOS Extended User Interface (NetBEUI), 107, 166, 234 NetBIOS over TCP/IP (NetBT), 234 NetWare, 10, 66, 86, 100, 234 Network Adapter, 234 Network Basic Input/Output System (NetBIOS), 234 Network Control Protocol (NCP), 234 Network Driver Interface Specification (NDIS), 234 Network File System (NFS), 234 Network Information Service (NIS), 235 Network News Transfer Protocol (NNTP), 235

Network Security Administrators, 235 Node, 235 Noncontainer Object, 235 Nonrepudiation, 235 Nonresident Attribute, 235 Nontransitive Trust Relationship, 236 Normal Backup, 236 Novell Directory Services (NDS), 93, 236 NT-1 (Network Terminator 1), 236 NTFS File System, 236 NTLM, 111, 236 NTLM Authentication Protocol, 237 NWLink, 107, 166, 237 -OObject, 90, 130, 177, 238 Object Linking and Embedding (OLE), 238 Offline Media, 238 On-Media Identifier (OMID), 238 On-Screen Keyboard, 238 Open Database Connectivity (ODBC), 238 Open Host Controller Interface (OHCI), 239 OpenType Fonts, 239 Operator Request, 239 Original Equipment Manufacturer (OEM), 239 Overclocking, 239 -PPackage, 240 Packet, 109, 169, 170, 240 Packet Assembler/Disassembler (PAD), 240 Page Fault, 240

Index 285

Page-Description Language (PDL), 240 Paging, 240 Paging File, 241 Parallel Connection, 241 Parallel Device, 241 Parallel Ports, 241 Parent Object, 241 Partition, 241 Password Authentication Protocol (PAP), 241 Path, 242 PC Card, 242 PCNFS Daemon (PCNFSD), 242 Performance Counter, 242 Performance Object, 242 Peripheral, 242 Peripheral Component Interconnect (PCI), 242 Permission, 242 Physical Location, 243 Physical Media, 243 Physical Object, 243 Ping, 79, 158, 159, 243 Pinning, 243 Plaintext, 243 Plug and Play, 243 Point and Print, 244 Point-to-Point Protocol (PPP), 244 Point-to-Point Tunneling Protocol (PPTP), 244 Portable Operating System Interface for UNIX (POSIX), 244 PostScript, 244 Power-On Self Test (POST), 245 Primary Partition, 245

Printer Control Language (PCL), 245 Priority, 245 Priority Inversion, 245 Private Branch Exchange (PBX), 245 Private Key, 245 Privilege, 246 Privileged Mode, 246 Process Throttling, 246 Processor Queue, 246 Protocol, 246 Protocol (PAP), 241 Proxy Server, 246 Public Key, 246 Public Key Cryptography, 247 Public Switched Telephone Network (PSTN), 247 -QQoS Admission Control Service, 248 Quality of Service (QoS), 248 Quantum, 248 Quarter-inch cartridge (QIC), 248 -RRAID-5 Volume, 249 Raster Fonts, 249 Rate Counter, 249 Read-Only Memory (ROM), 249 Recoverable File System, 249 Recovery Console, 249 Redundant Array of Independent Disks (RAID), 15, 249 Registry, 250 Relative ID (RID), 114, 250 Remote Access Server, 250 Remote Procedure Call (RPC), 250 Removable Storage, 250 Reparse Points, 250


RepeatKeys, 250 Request for Comments (RFC), 124, 250 Resident Attribute, 251 Resolver, 251 Resource Publishing, 251 Resource Record (RR), 251 Response Time, 251 RGB, 251 Roaming User Profile, 251 Router, 251 Routing Information Protocol (RIP), 252 Routing Table, 252 Rules, 252 -SSafe Mode, 253 Screen-Enlargement Utility, 253 Script, 253 Search Filter, 253 Secure Sockets Layer (SSL), 253 Security Accounts Manager (SAM), 74, 151, 254 Security Association (SA), 254 Security Descriptor, 254 Security Event Types, 254 Security ID (SID), 254 Security Method, 254 Security Parameters Index (SPI), 254 Security Principal, 255 Security Principal Name, 255 Seek Time, 255 Serial Bus Protocol (SBP-2), 255 Serial Connection, 255 Serial Device, 255 SerialKeys, 255

Server Message Block (SMB), 195, 256 Service Access Point, 256 Service Pack, 256 Service Profile Identifier (SPID), 256 Service Provider, 256 Session Key, 256 Sfmmon, 256 Shared Folder Permissions, 256 Shiva Password Authentication Protocol (SPAP), 256 Shortcut Key Navigation Indicators, 257 Simple Mail Transfer Protocol (SMTP), 130, 177, 257 Simple Network Management Protocol (SNMP), 257 Single-Switch Device, 257 Slot, 257 SlowKeys, 257 Small Computer System Interface (SCSI), 257 Small Office/Home Office (SOHO), 258 Smart Card, 258 Software Trap, 258 SoundSentry, 258 Source Directory, 258 Sparse File, 258 Speech Synthesizer, 258 Stand-Alone Drive, 258 Status Area, 259 StickyKeys, 259 Stop Error, 259 Stop Message, 259 Streaming Media Servers, 260 Streams, 260 Striped Volume, 260

Index 287

Subkey, 260 Subnet, 260 Subnet Mask, 260 Subnet Prioritization, 260 Subpicture, 261 Symmetric Key, 261 Symmetric Key Encryption, 261 Synchronization Manager, 261 Syntax, 261 System Access Control List (SACL), 261 System Administrator, 261 System Files, 261 System Media Pool, 262 System Policy, 262 System Policy Editor, 262 System State Data, 262 System Volume, 262 Systemroot, 262 -TTaskbar, 263 Tcpmon.ini, 263 Telephony API (TAPI), 263 Terabyte, 263 Terminal Services, 263 Thread, 264 Thread State, 264 Throughput, 79, 158, 264 Time To Live (TTL), 264 Timer Bar, 264 ToggleKeys, 264 Token Ring, 7, 61, 234, 251, 264 Total Instance, 264 Transitive Trust Relationship, 264 Transmission Control Protocol / Internet Protocol (TCP/IP), 66, 75, 107, 152, 166, 265

Transmitting Station ID String (TSID), 265 Transport Layer Security (TLS), 265 Transport Protocol, 265 TrueType Fonts, 265 Trust Relationship, 266 Trusted Forest, 265 Tunnel, 266 TWAIN, 266 Two-Way Trust Relationship, 266 Type 1 Fonts, 266 -UUnallocated Space, 267 Unicode, 267 UniDriver, 267 Uniform Resource Locator (URL), 267 Universal Asynchronous Receiver/Transmitter (UART), 267 Universal Disk Format (UDF), 268 Universal Group, 268 Universal Naming Convention (UNC), 268 Universal Serial Bus (USB), 268 UNIX, 10, 62, 86, 100, 123, 268 Unrecognized Pool, 269 Upgrade, 76, 78, 154, 156, 269 User Account, 269 User Identification (UID), 269 User Mode, 269 User Name, 269 User principal Name (UPN), 270 User Profile, 270 User Rights, 270 User Rights Policy, 270 Utility Manager, 270

288 Index: 70-219 Certification -VValue Bar, 271 Vector Fonts, 271 Video for Windows (VfW), 271 Video Port Extensions (VPE), 271 Virtual Device Driver (VxD), 271 Virtual Memory, 271 Virtual Private Network (VPN), 272 Virus Scanner, 272 Volume, 272 Volume Mount Points, 272 -WWDM Streaming Class, 273 Wide Area Network (WAN), 4, 67, 273 Windows 2000 MultiLanguage Version, 273 Windows File Protection (WFP), 273

Windows Internet Name Service (WINS), 91, 273 Windows Update, 273 Winsock, 274 Work Queue Item, 274 Workgroup, 274 Working Set, 274 -XX Window System, 275 X.25, 275 X.400, 275 X.500, 93, 275 -YYmodem, 276 -ZZ Axis (X Axis), 277 ZIPI, 277

292 Other Microsoft Books

Other Microsoft Certification books by TotalRecall Publications InsideScoop to MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure ExamWise For MCP / MCSE Certification: Exam 70-219 Designing a Windows 2000 Directory Services Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-210 Managing Microsoft Windows 2000 Professional ExamInsight For MCP / MCSE Certification: Exam 70-216 Implementing and Administering a Microsoft Windows 2000 Network Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-217 Managing a Microsoft Directory Services Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-220 Designing Security for a Microsoft Windows 2000 Network ExamInsight For MCP / MCSE Certification: Exam 70-221 Designing a Microsoft Windows 2000 Network Infrastructure ExamInsight For MCP / MCSE Certification: Exam 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition ExamInsight For MCP / MCSE Certification: Exam 70-270 Microsoft Windows XP Professional

Guarantee 293

Money Back Book Guarantee This guarantee applies only to books published by TotalRecall Press! We are so confident in our products, we are prepared to offer the following guarantee to YOU: If you do not pass the real Cisco CCNA 640-607 certification exam after two attempts, we will give money back! Visit www.TotalRecallPress.com Select “Money Back Book Guarantee” for details. Registered book purchasers will receive 1. Receive a 50% cash refund of purchase price OR 2. Receive a free TotalRecall Press book of equal value. To qualify for this TotalRecall Press Guarantee you must meet these requirements and perform the following tasks: 1. Register your purchase at the TotalRecall Press web site www.TotalRecallPress.com 2. Fail the corresponding exam twice ( No time Limit ) 3. Contact TotalRecall Press for the RMA # and to claim this guarantee Send email to [email protected] Subject must contain your Membership # or Registration # Ship the following, to the address listed below, to claim your refund. 1. RMA # from returned email 2. Documents of exam scores for both failed attempts 3. The 640-607 Book you have TotalRecall Press Attn: Corby Tate 1103 Middlecreek Friendswood, TX 77546 888-992-3131 [email protected] 281-992-3131 http://www.bfqlabs.com 281-482-5390 Fax http://www.bfq.com It's a Passing day here at the BeachFront. Thank you for using the TotalRecall Press Success Program.

Bruce Moran President

294 Practice Exam Offer

Microsoft 70-219 Practice Exam Offer BeachFrontQuizzer Inc. (BFQ) version 4.0 With the purchase of this book you qualify to purchase a Beachfront Quizzer, Inc. Practice exam at a $20 discount. Visit www.TotalRecallPress.com for details. Register your book purchase at www.TotalRecallPress.com Your Registration Code # = EI-02219-6000 System Requirements: Microsoft Windows OS Workstation Product line with a minimum of 6 MB hard disk space and 16 MB RAM

Call: 281-992-3131 Good Luck with your certification! Your Book Registration Number is EI-02219-6000 You cannot go wrong with this book because it is GUARANTEED: See details at www.TotalRecallPress.com

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Directory Services Infrastructure Exam 70-219

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Network Infrastructure Exam 70-221

ExamInsight For MCP MCSE Certification: Security for a Microsoft Windows 2000 Network Exam 70-220

MCSE Windows 2000 Active Directory Services Infrastructure Exam Cram 2 (Exam 70-217) (Exam Cram)

MCSE Training Kit Exam 70-219: Designing a Microsoft Windows 2000 Directory Services Infrastructure

MCSE Windows 2000 Active Directory Services Infrastructure Exam Cram 2 (Exam 70-217)(

MCSE Training Kit, Microsoft Windows 2000 Active Directory Services

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE Windows 2000 Network Infrastructure Exam Cram 2

MCSE : Windows 2000 Network Infrastructure Administration Exam Notes

MCSE Training Kit Microsoft Windows 2000: Network Infrastructure Administration

MCSE Windows 2000 Directory Services Design Exam Notes Exam 70-219

ExamInsight For CompTIA Security+ Certification Exam SY0-101 (ExamInsight)

MCSE: Windows 2000 Directory Services Design Study Guide, 2nd Edition

MCSE: Windows Directory Services Administration Study Guide

Microsoft Windows 2000 Core Requirements, Exam 70-216: Microsoft Windows 2000 Network Infrastructure Administration

MCSE: Windows 2000 Migration Exam Notes

Examwise for Designing a Microsoft Windows 2000 Directory Services Infrastructure Examination 70-219

MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2

MCSE Training Guide Windows 2000 Directory Services Infrastructure. Prüfung 70-217

MCSE Training Kit Upgrading to Microsoft Windows 2000: MCSE Training for Exam 70-222

MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)

Microsoft® Windows® 2000 Active Directory™ Programming

Examinsight for Designing a Microsoft Windows 2000 Network Infrastructure Examination 70-221

MCSE Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam Cram 70-294)

MCSE Self-Paced Training Kit Exam 70-297): Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure: Exam 70-297); ... Active Directory and Network Infrastructure

MCSE Windows Server 2003 Network Infrastructure (Exam 70-293)

MCSE Self-Paced Training Kit (Exam 70-297): Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure: (Exam 70-297); Designing ... Active Directory and Network Infrastructure

MCSE: Windows 2000 Network Infrastructure Design Study Guide

MCSE Training Guide Windows 2000 Network Infrastructure GERMAN

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Directory Services Infrastructure Exam 70-219

ExamInsight For MCP MCSE Certification: Microsoft Windows 2000 Network Infrastructure Exam 70-221

ExamInsight For MCP MCSE Certification: Security for a Microsoft Windows 2000 Network Exam 70-220

MCSE Windows 2000 Active Directory Services Infrastructure Exam Cram 2 (Exam 70-217) (Exam Cram)

MCSE Training Kit Exam 70-219: Designing a Microsoft Windows 2000 Directory Services Infrastructure

MCSE Windows 2000 Active Directory Services Infrastructure Exam Cram 2 (Exam 70-217)(

MCSE Training Kit, Microsoft Windows 2000 Active Directory Services

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE: Windows 2000 Network Infrastructure Design Exam Notes

MCSE Windows 2000 Network Infrastructure Exam Cram 2

MCSE : Windows 2000 Network Infrastructure Administration Exam Notes

MCSE Training Kit Microsoft Windows 2000: Network Infrastructure Administration

MCSE Windows 2000 Directory Services Design Exam Notes Exam 70-219

ExamInsight For CompTIA Security+ Certification Exam SY0-101 (ExamInsight)

MCSE: Windows 2000 Directory Services Design Study Guide, 2nd Edition

MCSE: Windows Directory Services Administration Study Guide

Microsoft Windows 2000 Core Requirements, Exam 70-216: Microsoft Windows 2000 Network Infrastructure Administration

MCSE: Windows 2000 Migration Exam Notes

Examwise for Designing a Microsoft Windows 2000 Directory Services Infrastructure Examination 70-219

MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2

MCSE Training Guide Windows 2000 Directory Services Infrastructure. Prüfung 70-217

MCSE Training Kit Upgrading to Microsoft Windows 2000: MCSE Training for Exam 70-222

MCSE Windows 2000 Server Exam Cram2 (Exam 70-215)

Microsoft® Windows® 2000 Active Directory™ Programming

Examinsight for Designing a Microsoft Windows 2000 Network Infrastructure Examination 70-221

MCSE Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure Exam Cram 2 (Exam Cram 70-294)

MCSE Self-Paced Training Kit Exam 70-297): Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure: Exam 70-297); ... Active Directory and Network Infrastructure

MCSE Windows Server 2003 Network Infrastructure (Exam 70-293)

MCSE Self-Paced Training Kit (Exam 70-297): Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure: (Exam 70-297); Designing ... Active Directory and Network Infrastructure

MCSE: Windows 2000 Network Infrastructure Design Study Guide

MCSE Training Guide Windows 2000 Network Infrastructure GERMAN

Recommend Documents