Home > Articles

  • Print
  • + Share This
This chapter is from the book

Chapter Summary

KEY TERMS

  • attribute

  • authentication scope

  • class

  • crossforest trust

  • external trust

  • Inter-Site Topology Generator

  • Knowledge Consistency Checker

  • name suffix

  • object identifier (OID)

  • one-way trust

  • Remote Procedure Call (RPC)

  • replication

  • Schema Admins group

  • shortcut trust

  • Simple Mail Transfer Protocol (SMTP)

  • site

  • site link

  • site link bridge

  • site link cost

  • SMTP

  • subnet

  • transitive trust

  • trust relationship

  • two-way trust

  • update sequence number (USN)

  • UPN suffix

Apply Your Knowledge

Exercises

To perform these exercises, you should have at least three computers, on two of which you have installed the root domain of an Active Directory forest named domain1.com, and a third domain controller on which you have installed the root domain of a second forest named domain2.com.

If you have only two computers available, you can complete exercises 3.1–3.2 and 3.4–3.8 first and then demote the domain2.com domain controller and re-install Active Directory on this computer as a second domain controller in the domain1.com domain. Then create a second site and place this domain controller in this site, according to the exercises in Chapter 2. You can then complete exercise 3.3.

3.1 Registering and Installing the Schema Snap-In

The first two exercises involve modifying the Active Directory Schema. This exercise shows you how to register and install the Active Directory Schema snap-in. You can do this from either forest root domain controller. By default, these computers hold the role of schema master for their respective forests.

Estimated Time: 5 minutes

  1. Click Start, Command Prompt.

  2. Type regsvr32 schmmgmt.dll and press Enter.

  3. You should receive a message informing you that the registration succeeded. Click OK and close the command prompt window.

  4. Click Start, Run, type mmc, and then click OK.

  5. Click File, Add/Remove Snap-In.

  6. In the Add/Remove Snap-In dialog box, click Add.

  7. In the Add Standalone Snap-In dialog box, select Active Directory Schema and then click Add.

  8. Click Close to return to the Add/Remove Snap-In dialog box.

  9. Click OK to add the Active Directory Schema snap-in to the blank MMC.

  10. Click File, Save, and on the Save As dialog box, type Schema.msc. Click Save to save the Active Directory Schema MMC in the Administrative Tools folder.

3.2 Creating Classes and Attributes

In this exercise, you create a new attribute named Salary Level. Then you create a new class named Human Resources and add the Salary Level attribute to the Human Resources class.

Estimated Time: 10 minutes

  1. The Active Directory Schema snap-in should still be open from Exercise 3.1. If not, click Start, Administrative Tools, Schema.msc.

  2. In the console tree, expand Active Directory Schema to reveal the Classes and Attributes folders.

  3. Right-click Attributes and select Create Attribute.

  4. The Schema Object Creation dialog box warns you that creating schema objects is a permanent operation. Click Continue to create the attribute.

  5. In the Create New Attribute dialog box, type the information in the following table:

  6. In This Field

    Type the Following

    Common Name

    SalaryLevel

    LDAP Display Name

    SalaryLevel

    Unique X.500 Object ID

    1.2.840.113556.1.4.7000.141

    Description

    Salary Level

    Syntax

    (select Integer)

    Minimum and Maximum

    (leave blank)


  7. Click OK.

  8. Right-click Classes and select Create Class.

  9. The Schema Object Creation dialog box warns you that creating schema objects is a permanent operation. Click Continue to create the class.

  10. In the Create New Schema Class dialog box, type the information in the following table:

  11. In This Field

    Type the Following

    Common Name

    HumanResources

    LDAP Display Name

    HumanResources

    Unique X.500 Object ID

    1.2.840.113556.1.4.7000.17

    Description

    Human Resources

    Parent Class

    (leave blank)

    Class Type

    (select Auxiliary)


  12. Click Next.

  13. In the next page of the Create New Schema Class dialog box, click Add under Optional.

  14. In the Select Schema Object dialog box, scroll down to the SalaryLevel attribute you just created and then click OK.

  15. This attribute is displayed in the Optional field of the Create New Schema Object dialog box. Click Finish.

  16. To verify creation of this class and attribute, expand Classes in the details pane of the Active Directory Schema console and scroll down to locate the HumanResources class. The SalaryLevel attribute should be displayed at the top of the details pane, along with several other attributes that were automatically assigned to this class when it was created.

  17. Close the Active Directory Schema console.

3.3 Creating a Forest Trust

This exercise demonstrates how to create a two-way forest trust between the two domains. It assumes both forests are operating at the Windows Server 2003 forest functional level. You should perform this exercise from the domain1.com root domain controller.

Estimated Time: 10 minutes

  1. Click Start, Administrative Tools, Active Directory Domains and Trusts.

  2. In the console tree of Active Directory Domains and Trusts, right-click domain1.com and choose Properties.

  3. Select the Trusts tab of the Domain1.com Properties dialog box and then click New Trust to start the New Trust Wizard.

  4. On the Welcome to the New Trust Wizard page, click Next.

  5. On the Trust Name page, type domain2.com and then click Next.

  6. On the Trust Type page, select Forest Trust and then click Next.

  7. On the Direction of Trust page, select Two-Way and then click Next.

  8. On the Sides of Trust page, select Both This Domain and the Specified Domain and then click Next.

  9. On the User Name and Password page, type the name and password of an account that is a member of the Domain Admins group in the domain2.com forest. Unless you have changed it, this is the original administrator account created when installing Active Directory.

  10. On the Outgoing Trust Authentication Level—Local Domain page, choose Selective Authentication and then click Next.

  11. On the Outgoing Trust Authentication Level—Specified Domain page, choose Selective Authentication and then click Next.

  12. On the Trust Selections Complete page, review the choices you have made to make sure they are correct. If necessary, click Back and make any needed corrections. When the choices are correct, click Next to create the trust.

  13. On the Trust Creation Complete Page, click Next.

  14. On the Confirm Outgoing Trust page, click Yes, Confirm the Outgoing Trust and then click Next.

  15. On the Confirm Incoming Trust page, click Yes, Confirm the Incoming Trust and then click Next.

  16. When the Completing the New Trust Wizard page appears, click Finish to return to the Trusts tab of the domain1.com domain's Properties dialog box. The trust with the domain2.com domain should appear as both outgoing and incoming, with a trust type of External and a transitivity of No.

3.4 Validating a Forest Trust

In this exercise, you validate the trust you just completed in Exercise 3.3. You should perform this exercise from the domain2.com root domain controller.

Estimated Time: 5 minutes

  1. Click Start, Administrative Tools, Active Directory Domains and Trusts.

  2. In the console tree, right-click domain2.com and choose Properties.

  3. Select the Trusts tab of the Domain2.com Properties dialog box. domain1.com should appear in the two fields of this dialog box.

  4. Under Domains Trusted By This Domain (Outgoing Trusts), select domain1.com and click Properties.

  5. On the Domain1.com Properties dialog box, click Validate.

  6. You are asked whether you want to validate the incoming direction of trust. Click Yes, Validate the Incoming Trust, type the username and password of an account that is a member of the Domain Admins group for domain1.com, and then click OK.

  7. You should receive a confirmation message. Click OK.

  8. Click OK to close the Domain1.com Properties dialog box.

  9. Back in the Domain2.com Properties dialog box, select domain1.com under Domains That Trust This Domain (Incoming Trusts).

  10. Repeat steps 5–8 to validate the incoming trust.

3.5 Testing a Forest Trust

In this exercise, you attempt to access the domain2.com forest from the domain1.com forest. You should perform this exercise from the domain1.com root domain controller.

Estimated Time: 5 minutes

  1. Click Start, Run, type \\server (where server is the name of the domain2.com domain controller), and press Enter.

  2. Were you able to reach the other server? Why or why not?

  3. ___________________________________

    ___________________________________

    ___________________________________

  4. Click OK to close the message box.

3.6 Changing the Authentication Scope

In this exercise, you change the authentication scope of the trust relationship you just created. You can perform this exercise from either domain controller.

Estimated Time: 5 minutes

  1. If the Properties dialog box for your domain is not visible, right-click the domain name in the console tree of Active Directory Domains and Trusts and choose Properties.

  2. In the Domains Trusted by This Domain (Outgoing Trusts) field, select the name of the other domain and click Properties.

  3. Select the Authentication tab of the Properties dialog box.

  4. Select Domain-Wide Authentication and then click OK.

  5. Repeat steps 2 and 3 for the Domains That Trust This Domain (Incoming Trusts) field. Note that the authentication level has already changed to domainwide.

  6. Click OK to close the domain's Properties dialog box.

3.7 Testing a Forest Trust

In this exercise, you repeat exercise 3.6 to attempt access to the other forest. You should perform this exercise from the domain1.com root domain controller.

Estimated Time: 5 minutes

  1. Click Start, Run, type \\server (where server is the name of the domain2.com domain controller), and press Enter.

  2. Were you able to reach the other server? Why or why not?

  3. ___________________________________

    ___________________________________

    ___________________________________

  4. Click OK to close the message box.

3.8 Creating and Configuring Sites

In this exercise, you rename the default site and create a second site. You then move a domain controller and add subnets to the site.

Estimated Time: 15 minutes

  1. Log on as an administrator.

  2. Click Start, Administrative Tools, Active Directory Sites and Services.

  3. In the console tree, expand the Sites folder.

  4. Right-click Default-First-Site-Name and click Rename.

  5. Type Head Office as the name of this site.

  6. Right-click Sites and choose New Site.

  7. Type Factory as the name of this site, select the default site link, and then click OK.

  8. Repeat steps 6 and 7, specifying Branch Office as the name of this site.

  9. Expand the Inter-Site Transports folder, right-click IP, and choose New Site Link.

  10. Type Remote as the name of this site link, add Head Office and Branch Office to this link, and then click OK.

  11. Expand the Head Office site and then expand the Servers folder.

  12. Right-click the Server2 server and choose Move.

  13. In the Move Server dialog box, select the Branch Office site and then click OK.

  14. Right-click the Subnets folder and choose New Subnet.

  15. In the New Object—Subnet dialog box, type 192.168.1.0 in the Address box and 255.255.255.0 in the Mask box. Select Head Office as the site object for the subnet and then click OK.

  16. Repeat step 15, specifying an address and subnet mask of 192.168.2.0 and 255.255.255.0 for the Factory site.

  17. Repeat step 15 again, this time specifying an address and mask of 192.168.3.0 and 255.255.255.0 for the Branch Office site.

  18. In the Inter-Site Transports folder, right-click IP and choose Properties.

  19. In the IP Properties dialog box, clear the Bridge All Site Links check box and then click OK.

  20. Back in the Inter-Site Transports folder, right-click IP and choose New Site Link Bridge.

  21. In the New Site Link Bridge dialog box, type Branch Office as the name of the site link bridge. Select the default link and the Remote link and then click OK.

  22. In the console tree, right-click Server1 and choose Properties.

  23. In the Server1 Properties dialog box, click IP, click Add, and then click OK. This makes Server1 a preferred bridgehead server for the IP transport protocol.

  24. Repeat steps 22 and 23 with the Server2 server.

  25. Close Active Directory Sites and Services.

3.9 Configuring Intersite Replication Properties

Because intersite replication can take up a large fraction of bandwidth on a slow link, you can modify certain properties of intersite replication. In this exercise, you configure a two-hour interval for IP intersite replication and then specify that intersite replication will not take place during daytime (8 a.m. to 6 p.m.) hours. You also set the site link cost to 25.

Estimated Time: 5 minutes

  1. Click Start, Administrative Tools, Active Directory Sites and Services.

  2. If necessary, expand the Sites folder in the console tree to locate the Inter-Site Transports folder.

  3. Expand this folder and click IP. The details pane displays a site link named DEFAULTIPSITELINK.

  4. Right-click this link and choose Properties.

  5. On the General tab of the site link's Properties dialog box, type 120 in the text box labeled Replicate Every and then click Apply.

  6. Click Change Schedule to display the Schedule for DEFAULTIPSITELINK dialog box.

  7. Select the time interval of Monday 8:00 a.m. to Friday 6:00 p.m., select Replication Not Available, and then click OK.

  8. Back on the General tab of the site link's Properties dialog box, type 25 in the Cost text box and then click OK.

  9. The cost and replication values you configured are displayed in the details pane of the Active Directory Sites and Services snap-in. Close this snap-in.

Review Questions

  1. What kinds of trusts can you create between two different Active Directory forests, and how do they differ?

  2. What is the purpose of a shortcut trust?

  3. What is the difference between a one-way incoming trust and a one-way outgoing trust?

  4. What is the purpose of name suffix routing?

  5. To add a new object and its attributes to the schema, what do you need to do first?

  6. What are explicit UPNs and UPN suffixes, and why would you want to use them?

  7. You are creating site link bridges manually and want to ensure the KCC uses your site link bridges. What should you do?

  8. What is the difference between the Inter-Site Topology Generator (ISTG) and the Knowledge Consistency Checker (KCC)?

  9. What are some differences between intersite and intrasite Active Directory replication? What is the major reason for these differences?

  10. How do you configure Active Directory to optimize the choice of multiple links between two sites, such as T1 and dial-up?

  11. Why do you need to specify IP subnets when configuring sites?

Exam Questions

  1. Evan has upgraded his company's Windows NT 4.0 domains to Windows Server 2003 and has consolidated two previous domains into a single domain that contains all 900 users and their computers. The previous domains represented two offices that have an ISDN link between them.

  2. Evan sets up two sites, one for each office, and configures a site link to use SMTP for replicating between the offices. However, the domain controllers in the two offices are unable to replicate with each other. What does Evan need to do?

    1. Install Internet Information Services (IIS) on a domain controller at each site, and configure IIS as an SMTP server.

    2. Install an enterprise certification authority (CA).

    3. Install a faster link such as a T1.

    4. Use IP replication rather than SMTP replication.

  3. Dorothy is a domain administrator for a large engineering company that operates a Windows Server 2003 forest with three domains. Her company has just acquired a Canadian subsidiary, which operates a single domain Windows 2000 forest. The two companies will be working together on future projects involving continent-wide locations, so she recommended to management that a forest trust be created between the companies' forests. Working from a domain controller in her company, Dorothy accesses the New Trust Wizard and enters the name of the Canadian company's domain. She discovers that the option to create a forest trust is unavailable. What needs to be done so that she can create a forest trust?

    1. Ask an administrator of the Canadian company to provide her with a user account in that company's domain.

    2. Ask an administrator of the Canadian company to add her domain user account to that company's Enterprise Admins group.

    3. Ask an administrator of the Canadian company to upgrade its domain to the Windows Server 2003 functional level.

    4. Dorothy should create a shortcut trust instead.

  4. John is creating a new site in his company's network; this site represents a branch office that the company is setting up. He opens the Active Directory Sites and Services console and accesses the New Object—Site dialog box. What additional piece of information does he need to specify?

    1. He needs to specify one or more subnets in the site.

    2. He needs to specify the name of a domain controller to be placed in the site.

    3. He needs to specify the licensing computer for the site.

    4. He needs to specify the site link to which the site will belong.

  5. Peter is configuring replication for his company, which operates two offices, one in Dallas and the other in Atlanta. The company has a 1.5Mbps T1 link, a 128Kbps ISDN link, and a 56Kbps dial-up link between the two sites. Which of the following site link cost values should he configure for the three links?

    1. 50 for the T1 link, 100 for the ISDN link, and 200 for the dial-up link.

    2. 50 for the T1 link, 100 for the dial-up link, and 200 for the ISDN link.

    3. 50 for the dial-up link, 100 for the ISDN link, and 200 for the T1 link.

    4. 50 for the ISDN link, 100 for the dial-up link, and 200 for the T1 link.

  6. Paul works for a state department of transportation that has just awarded a contract to a construction company to build a new highway linking the two largest cities in the state. The state government operates an Active Directory forest, within which the department of transportation operates a single child domain. The construction company operates a single domain Windows 2000 network. To build the highway, engineers at the construction company need access to resources at the department of transportation. What should Paul do to grant this access?

    1. Create a one-way external trust in which the department of transportation domain trusts the construction company domain.

    2. Create a one-way external trust in which the construction company domain trusts the department of transportation domain.

    3. Create a two-way external trust in which the two domains involved trust each other.

    4. Create a forest trust in which the construction company domain trusts the department of transportation domain.

  7. Kristin is a domain administrator for a company that has a Manhattan head office and two upstate remote offices. Users in the remote offices are complaining that the links are slow, so she checks the utilization of the links and discovers that they are running at 100% capacity. Checking further, Kristin discovers that nearly all the traffic on the links is Active Directory replication.

    On checking the replication schedule, Kristin discovers that replication should be taking place only once every six hours. What else should she be checking?

    1. A. The Ignore Schedule option.

    2. B. The Replication Not Available option.

    3. The Force Replication option.

    4. How many new users have been added at the various sites in the past few days.

  8. Mark is the senior network administrator of a high-tech company whose head office is in Boston. The company also operates branch offices in Dallas, Rio de Janeiro, Paris, and Winnipeg. Previously, the company operated five separate domains, one for each city in which it has an office. When Mark upgraded the network to Windows Server 2003, he consolidated the entire network into a single domain and created sites for each city. Each office has its own domain controllers and separate subnet configurations. After receiving several complaints about slow data transfer rates, Mark realized there was an extreme amount of replication traffic, so he checked Active Directory Sites and Services. Which of the following is the most likely reason for this amount of replication traffic?

    1. The branch office sites are missing bridgehead servers.

    2. All domain controllers are located in the Default-First-Site-Name site. Mark needs to move them to their respective sites.

    3. The site links are using RPC over IP for replication. Mark needs to reconfigure them to use SMTP.

    4. The replication topology is improperly configured. Mark needs to run the Knowledge Consistency Checker to alleviate this problem.

  9. Fred is a network administrator for a large company that has just acquired a smaller company. Both companies have operated their own Active Directory domains. Senior management has decided that they want to combine the two domains into a single domain with a series of OUs and several sites. The Active Directory schema in the smaller company contains several definitions that are not present in the schema of the large company, and Fred needs to extend the schema to include attributes taken from the old schema.

    Which of the following needs must Fred define for attributes being added to the schema?

    1. He can add new attributes only at installation time. An attribute definition includes a name, a unique object identifier (OID), a unique security ID (SID), a syntax that defines the type of data the attribute can hold, and optional range limits.

    2. He can add new attributes only during replication. An attribute definition includes a name, a unique OID, a syntax that defines the type of data the attribute can hold, and optional range limits.

    3. He can add new attributes at any time. An attribute definition includes a name, a unique OID, a syntax that defines the type of data the attribute can hold, and optional range limits.

    4. He can add new attributes at any time. An attribute definition includes a name, a nonunique OID, a unique SID, a syntax that defines the type of data the attribute can hold, and optional range limits.

  10. Maria is an enterprise administrator for an East Coast manufacturing company that has just merged with a similar company operating on the West Coast. She has configured external trusts between several domains in each forest, for which employees need access. These trusts all used domainwide authentication. Because management in her company wanted to keep the domain structure confidential, she had configured a UPN suffix of corp and configured all user accounts to use this suffix. An administrator in the other forest also configured a UPN suffix of corp for users in that forest.

    However, users were unable to access resources in the other forest, although they could access other domains in their own forest. Which two of the following would enable users to access resources to both forests?

    1. Maria needs to re-create the trust relationship as a forest trust.

    2. Maria needs to change the domainwide authentication scope to selective authentication.

    3. Users need to specify the domain in the other forest to which they want to log on.

    4. Maria should change the UPN suffix in use in her forest.

  11. Gwen's company has just merged operations with a former competitor. Both companies operate Windows Server 2003 Active Directory forests, each of which has three domains in a single tree. Managers at the second company would like to keep their operations as separate as possible; however, employees whose user accounts are in various domains of both forests need access to resources in all domains. What should Gwen do to enable access to the other forest with the least amount of effort?

    1. She should create a shortcut trust between child domains of the two forests.

    2. She should create a forest trust between the two forests.

    3. She should create an external trust between child domains of the two forests.

    4. She should inform her manager that the other company's forest should be reconfigured as a second tree in her company's forest.

  12. Roberta works for a company that has just opened a branch office in a neighboring city that is connected with a 128Kbps ISDN link. Her manager has requested that replication take place at least once a day during the daytime. However, the line is expected to be close to 90% utilized during the day, but only about 40% utilized during night hours.

    She needs to ensure that replication does not use too much bandwidth during the day, but that at night it will provide sufficient bandwidth to complete any synchronization. Which of the following should Roberta do to complete this request with the least amount of effort?

    1. Create two site links: one available only at night with the default replication interval and the other available only during the day with a replication interval of 6 hours.

    2. Create two site links: one available only at night with the default replication interval and the other available only from noon to 1 p.m. also with the default replication interval.

    3. Create two site links: one available only at night with the default cost and replication interval and one available only during the day with a site link cost of 500.

    4. Create one site link, available only at night with the default cost and replication interval. Once a day, force replication manually.

    5. Create one site link with the default cost and replication interval. Configure this link to be available from noon to 1 p.m. and also during the nighttime hours.

  13. Nancy is the network administrator for a company that operates a single domain Active Directory network encompassing three sites located in Cleveland, Nashville, and Columbus. The Cleveland and Nashville sites have three domain controllers, and Columbus has one domain controller. If the domain controller at Columbus were to fail, Nancy would like Active Directory traffic from this site to be processed at the Cleveland site rather than the Nashville site.

    Which of the following is the best method for Nancy to accomplish this task?

    1. She should eliminate the site link between Columbus and Nashville.

    2. She should create a site link bridge between Columbus and Cleveland.

    3. She should place the domain controller at Columbus in the same site as the Cleveland domain controllers.

    4. She should configure the site link cost of the link between Columbus and Cleveland to be lower than that of the link between Columbus and Nashville.

  14. A junior administrator in your company named Rick has just created a new one-way outgoing trust relationship between your company's domain and a supplier's domain. The purpose of this trust is to enable sales associates to place orders online with the suppliers so that they do not have to fax the orders. However, sales associates complain that they cannot access the supplier's domain. What should you do to enable access, while keeping resources in your company's domain secure?

    1. In the trust's Properties dialog box, change the authentication scope of the trust from selective authentication to domainwide.

    2. In the trust's Properties dialog box, change the direction of the trust from outgoing to incoming.

    3. Remove the trust relationship and create a new one-way incoming trust relationship.

    4. Remove the trust relationship and create a new two-way trust relationship.

  15. Linda works for a company that has just set up new offices in two neighboring cities. She has configured the site links and site link bridges for the network and ensured that replication is proceeding. When she describes this work to a coworker named Jason, he informs her that she didn't need to create the site link bridges. Why didn't she need to create the site link bridges?

    1. A. The sites will be automatically bridged.

    2. The infrastructure master will create the site link bridges.

    3. The global catalog server will create the site link bridges.

    4. Jason is misinformed; what Linda did was needed.

  16. In the past few weeks, your company's help desk has been receiving complaints from users whose accounts are in the USA.marketing. quepublishing.com domain; they complain that it is difficult to remember the appropriate domain name when logging on. In response to this problem, you create a new UPN suffix named quepublishing so that users should be able to log on with a name like user@quepublishing. However, users complain that they are unable to log on with this type of name. What do you need to do?

    1. Enable name suffix routing for the USA. marketing.quepublishing.com domain.

    2. In the properties of each affected user account, specify quepublishing as the UPN suffix in use.

    3. In the properties of each affected user account, append @quepublishing to the user's logon name.

    4. Delete and re-create each user's account, specifying quepublishing as the UPN suffix to be used.

  17. Phil's company has just merged with a competitor. Both companies operate Windows Server 2003 forests, each consisting of a single domain. Phil configures a two-way external trust relationship between the two domains so that users in each domain can access shared folders in the other domain, which is managed by Gertrude. He creates a group in his domain and adds users who need access to Gertrude's domain to this group. Gertrude also creates a group in her domain and adds users who need access to Phil's domain to this group. Both administrators configure the appropriate NTFS permissions for files and folders that need to be accessed.

    The next week, users in Phil's domain start calling the help desk, wondering why they cannot access the shared information in Gertrude's domain. Users in Gertrude's domain have no problems accessing resources in Phil's domain. Which of the following is the most likely reason for this access failure?

    1. The authentication scope of Phil's domain is set to domainwide authentication. Phil should set the scope to selective authentication.

    2. The authentication scope of Phil's domain is set to selective authentication. Phil should set the scope to domainwide authentication.

    3. The authentication scope of Gertrude's domain is set to domainwide authentication. Gertrude should set the scope to selective authentication.

    4. The authentication scope of Gertrude's domain is set to selective authentication. Gertrude should set the scope to domainwide authentication.

  18. Barry's company is expanding its North American operations to Europe. To accommodate the new operations, he needs to add several objects and attributes to the schema. His manager has added his user account to the Schema Admins group for this purpose. Working from a branch office domain controller, Barry attempts to locate the Active Directory Schema snap-in. He calls the help desk and asks to be given the appropriate permission to access this snap-in, but is told that this is not a permissions issue. Which two of the following does Barry need to do to access this snap-in?

    1. He must first register the Schema snap-in by using the regsvr32 command from the Run dialog box.

    2. He should contact the help desk manager because he has received incorrect advice from the support technician. He needs to belong to both the Schema Admins and Enterprise Admins groups to access this snap-in.

    3. He needs to install the Active Directory Schema snap-in to a new MMC console.

    4. He needs to go to the schema master computer to modify the schema. Because the domain controller he is working from does not have this snap-in, it must not be the schema master.

  19. In the process of upgrading their network from Windows NT 4.0 to Windows Server 2003, administrators at a western clothing outfitters company consolidated two domains representing office locations in Denver and Billings into a single domain. The two locations are connected with a dedicated ISDN line. Joanne, a junior administrator, created sites for both locations and assigned the domain controllers to their respective sites while working from the Denver location. The next week, users at Billings started complaining about slow logon and resource access. What should Joanne do to speed up access?

    1. Configure replication between Denver and Billings to take place only at off-peak times.

    2. Assign the subnet containing computers located in Billings to the Billings site.

    3. Add an explicit UPN suffix for the users in the Billings site.

    4. Obtain approval from management to upgrade the ISDN line to a T1 line.

Answers to Exercises

3.5 Testing a Forest Trust

  1. No. You cannot reach the other server because you configured the authentication scope as selective authentication. This setting requires a specific granting of access to the required server, which you did not configure.

3.7 Testing a Forest Trust

  1. Yes. You are now able to reach the other server because the authentication scope is now set to domainwide. This setting allows access to all resources according to NTFS permissions that may have been configured for specific files and folders.

Answers to Review Questions

  1. The two kinds of trust relationships between Active Directory forests are external trusts and forest trusts. External trusts exist between two specific domains in different forests. Forest trusts create transitive trust relationships between all domains in the forests involved. See the section "Interforest Trust Relationships."

  2. A shortcut trust is an additional trust relationship between two domains in the same forest that expedites the authentication process in a case where the normal authentication path would need to cross several domains. See the section "Trust Relationships Within an Active Directory Forest."

  3. A one-way incoming trust creates a one-way trust in which users in your (trusted) domain can be authenticated in the other (trusting) domain. Users in the other domain cannot be authenticated in your domain. A one-way outgoing trust creates a one-way trust in which users in the other (trusted) domain can be authenticated in your (trusting) domain. Users in your domain cannot be authenticated in the other domain. See the section "Establishing Trust Relationships."

  4. Name suffix routing is a mechanism that you can use to manage the routing of authentication requests across forests that are connected by forest trust relationships. It enables name suffixes that do not exist in one forest to be used to route authentication requests to another forest. See the section "Managing Trust Relationships."

  5. Before you can modify the schema, you need to first register the Active Directory Schema snap-in and then install it to a new MMC console. You use the regsvr32 command to register the snap-in. In addition, you need to be a member of the Schema Admins group to modify the schema. You also need to ensure that the schema master is online. See the section "Managing Schema Modifications."

  6. An explicit UPN is a name in the form of string1@string2, where an administrator can define values for both strings. The UPN suffix is the part of the UPN after the at (@) sign. You can define a UPN suffix to simplify logon procedures for users in a multidomain forest. This facilitates the logon procedure for users in domains with long domain names. It also can be used to hide the domain structure of the forest from users in external forests. See the section "Adding or Removing a UPN Suffix."

  7. By default, all site links are bridged. If you do not want to use default site link bridging, you need to disable the automatic site link bridging in the IP or SMTP properties. See the section "Site Link Bridges."

  8. The ISTG is a domain controller that creates the intersite replication topology. It considers the cost of intersite connections, checks whether any domain controllers have been added or removed, and provides this information to the KCC. The KCC is a process that runs automatically on all domain controllers and creates intrasite and intersite replication topologies. See the sections "Knowledge Consistency Checker" and "Inter-Site Topology Generator."

  9. Several of the differences between intersite and intrasite Active Directory replication are as follows: Intersite replication is compressed, whereas intrasite replication is not compressed; intersite replication can be configured to take place at certain times and intervals, whereas intrasite replication takes place automatically and frequently; intersite replication can use either RPC over IP or SMTP, whereas intrasite replication always uses RPC; and intersite replication takes place over WAN links according to site link costs that the administrator can configure, whereas intrasite replication takes place over all DCs according to a ring topology automatically created by the KCC. These differences exist because of the low bandwidth of slow-speed WAN connections between sites, and administrators can configure intersite replication so that it optimizes use of the slow link when other intersite traffic is minimal. See the section "Configuring Replication Schedules."

  10. You can optimize which of several types of links Active Directory prefers for intersite replication by specifying the site link cost parameter. This way, you can account for variables such as the monetary cost of an on-demand connection and the relative bandwidths and availability of different connection types. See the section "Configuring Site Link Costs."

  11. Active Directory has no means of associating IP subnets with different sites unless you tell it what subnet corresponds to which site. See the section "Configuring Site Links."

Answers to Exam Questions

  1. D. The problem with SMTP replication in this instance is that it does not replicate the domain partition of Active Directory, only the schema, configuration, and application partitions. To replicate the domain partition, Evan must configure replication to use RPC over IP. It is true that SMTP replication requires an enterprise CA to work; however, just installing the CA would not allow replication of the domain partition. Therefore, answer B is incorrect (however, it would be correct if the two sites were in different domains). The SMTP packets can be sent directly between the domain controllers without the need for mail servers; therefore, answer A is incorrect. Installing a faster link such as a T1 will not help; therefore, answer C is incorrect. See the section "Configuring Replication Schedules."

  2. C. To create a forest trust, both forests must be operating at the Windows Server 2003 functional level. Therefore, the Canadian company needs to upgrade its domain controllers to Windows Server 2003 and then raise the domain and forest functional levels. This is not an issue of domain accounts or membership in the Enterprise Admins group. Therefore, answers A and B are wrong. A shortcut trust connects two child domains in the same forest, not different forests. Therefore, answer D is wrong. Note that Dorothy could instead create external trusts between the domains involved; however, this option was not offered. See the section "Establishing Trust Relationships."

  3. D. The New Object—Site dialog box asks for the name of the site and the site link object. John should perform all the other tasks later; however, he cannot specify these tasks from this dialog box. Therefore, answers A, B, and C are wrong. See the section "Creating Sites."

  4. A. The site link cost is a value that determines which link will be given priority in replication. The KCC uses this information to determine the optimum link to be used during replication. When available, it uses the link with the lowest cost. Therefore, Peter should assign the lowest cost to the T1 line, the next higher cost to the ISDN line, and the highest cost to the dial-up link. Consequently answers, B, C, and D are incorrect. See the section "Configuring Site Link Costs."

  5. A. In this scenario, engineers at the construction company need access to resources at the department of transportation domain. Therefore, the department of transportation domain needs to trust the construction company domain. Employees of the department of transportation do not need access to the construction company domain. Therefore, the construction company domain does not need to trust the department of transportation domain, and answers B and C are wrong. Other domains in the government do not need to participate in the trust relationship; therefore, answer D is wrong. See the section "Interforest Trust Relationships."

  6. A. If the Ignore Schedules check box is selected, replication can take place at any time of the day or night, and the configured schedule is ignored. Kristin needs to clear this check box so that the schedule is followed. She can use the Replication Not Available option if she does not want replication to take place at certain times. Because she does want replication to take place at six-hour intervals, she does not need this option, and answer B is incorrect. There is no Force Replication option. Therefore, answer C is incorrect. Even if a large number of users have been added recently, the replication traffic should not tie up the link to that extent. Therefore, answer D is incorrect. See the section "Configuring Replication Schedules."

  7. B. By default, the domain controllers are all placed in the Default-First-Site-Name site, and Mark needs to move them to the proper sites. The process of merely creating the sites and assigning the subnets to the sites is insufficient. When new sites are established, the Inter-site Topology Generator (ISTG) automatically creates bridgehead servers, so answer A is wrong. SMTP is used to replicate schema and configuration partitions only between domains, and is not used within domains, so answer C is wrong. The Knowledge Consistency Checker (KCC) automatically creates and manages the intersite replication topology and does not need to be manually run, so answer D is wrong. See the section "Active Directory Site Topology."

  8. C. After registering and installing the Schema snap-in, a member of the Schema Admins group can add new attributes to the schema at any time, not just when it is installed or during replication. Therefore, answers A and B are wrong. Attributes are used to define the properties of objects—for example, the "last name" property of a user object. The attribute requires a unique OID, a descriptive name, a syntax that defines the type of data the attribute can hold including a minimum and maximum value, and optional range limits. The attribute definition does not include a unique SID. Therefore, answer D is wrong. See the section "Managing Schema Modifications."

  9. C, D. When more than one forest uses the same UPN suffix, users can use it only to log on to a domain in the same forest. Therefore, they were unable to log on to a domain in the other forest. As it stands, users can log on to the other forest if the domain name is selected in the Log On to Windows dialog box. Alternately, one of the administrators can change the UPN suffix in use. It does not matter whether an external or forest trust relationship is in use if the UPN suffix is the same; therefore, answer A is incorrect. This is not a matter of authentication scope; domainwide authentication should work here. Therefore, answer B is incorrect. See the section "Adding or Removing a UPN Suffix."

  10. B. The purpose of a forest trust is to create transitive trust relationships between all domains of the forests involved. In this scenario, because employees need access to more than one domain in the other company's forest, it is best to create a forest trust. Gwen could create external trusts between various child domains; however, this approach would take far more administrative effort. Therefore, answer C is wrong. A shortcut trust is a shortened path between two child domains in the same forest and is not used between domains in different forests. Therefore, answer A is wrong. There is no need to reconfigure the other company's forest as a second tree in her company's forest. Therefore, answer D is wrong. See the section "Interforest Trust Relationships."

  11. E. Roberta needs only to configure one site link. She should click the Change Schedule button on the Properties dialog box, and specify that replication be available from noon to 1 p.m. and also during nighttime hours. This enables her to meet both the requirement for at least one replication during the day and the need for complete overnight synchronization. By allowing the daytime link to replicate only between noon and 1 p.m., she has selected a time when traffic would likely be lower. If she were to set a six-hour daytime replication interval, replication would take place some time during the day; however, she does not need more than one daytime replication. Therefore, answer A is wrong. Roberta could also configure two site links with two distinct replication schedules. However, this would take more effort than creating a single link, so answer B is wrong. Site link costs do not influence replication intervals; they only enable the KCC to select the optimum link. Therefore, answer C is wrong. Roberta could manually force replication once a day; however, doing so takes daily effort. Therefore, answer D is wrong. See the section "Configuring Replication Schedules."

  12. D. The site link cost determines the preferential replication path (in this case, Columbus to Cleveland). Replication traffic proceeds over this link if at all possible, and over the higher cost link (in this case, Nashville) if a server at the other link cannot satisfy the request that has been made.

  13. It is important for intersite replication traffic to have all possible links available so that any queries or other traffic can proceed optimally. Therefore, answer A is wrong. A site link bridge consists of two or more links with one site in common, across which intersite replication traffic can take place. The cost of the site link bridge is equal to the sum of the costs of the individual links in the bridge. This would not help with the current scenario. Therefore, answer B is wrong. Placing the Columbus domain controller in the same site as the Cleveland domain controller would direct preferential replication between these two cities, but unless a very high speed link were available, the high replication frequency could overwhelm the link. Therefore, answer C is wrong. See the section "Configuring Site Link Costs."

  14. C. In this scenario, Rick created a trust relationship in the wrong direction. You have to delete and re-create the trust because it is not possible to reverse the direction of the trust relationship from the Properties dialog box of the trust. Therefore, answer B is wrong. Changing the authentication scope of the trust does not help. Therefore, answer A is wrong. Creating a two-way trust is not necessary; doing so reduces security because employees of the supplier company could then access your domain. Therefore, answer D is wrong. For more information, see the section "Managing Trust Relationships."

  15. A. Active Directory automatically creates the site link bridges. A site link bridge is a chain of site links that allows any two domain controllers to communicate directly with each other. Infrastructure masters and global catalog servers have nothing to do with site link bridges, so answers B and C are wrong. Because the site link bridges are automatically created, answer D is wrong. See the section "Site Link Bridges."

  16. B. By adding a UPN suffix, you can simplify logon procedures for all users in the forest. It is helpful for users with long child domain names, such as in this example. However, for the users to log on with the added UPN suffix, you need to specify the UPN suffix in the Account tab of the user's Properties dialog box in Active Directory Users and Computers. Name suffix routing is used in routing authentication requests between forests connected by a forest trust. Therefore, answer A is wrong. You cannot simply add the UPN suffix to the user's logon name; therefore, answer C is wrong. You do not need to delete and re-create any user accounts. Therefore, answer D is wrong. See the section "Adding or Removing a UPN Suffix."

  17. D. The authentication scope controls how access is granted to resources in the trusting domain. Domainwide authentication allows users from the trusted domain to access all resources in the local domain. Selective authentication does not create any default access to resources; you must grant access to each server that users need to access. In this case, Gertrude's domain is the trusting domain, and because its authentication scope was set to selective, users from Phil's domain were unable to reach her domain. She needs either to grant specific access to required resources or to reset the authentication scope to domainwide. If Phil's domain were set to selective authentication, users in Gertrude's domain would be unable to access resources in Phil's domain. Therefore, answer B is incorrect. Because domainwide authentication allows users to access all resources, answers A and C are incorrect. See the section "Managing Trust Relationships."

  18. A, C. By default, the Active Directory Schema snap-in is not present when a domain controller is installed, so Barry needs to install it. First, he needs to register the Schema snap-in by using the regsvr32 command from the Run dialog box. He cannot install this snap-in until he performs this step. This extra step is an additional security measure because of the importance of schema modifications. Barry does not need to belong to the Enterprise Admins group to access the Schema snap-in. Therefore, answer B is wrong. He does not need to be at the schema master because he can connect to it from another computer. Therefore, answer D is wrong. See the section "Managing Schema Modifications."

  19. B. When Joanne upgraded the domains to Windows Server 2003 and Active Directory, creating a single domain from the two domains that previously existed, initially all objects in the directory from both locations were assigned to the first site. When she created a site for the Billings location, by default no subnets were assigned to it; consequently, client computers and member servers in Billings thought they were in the Denver site, and all authentication and resource access traffic went across the ISDN link to Denver. If Joanne assigns the Billings subnet to its site, this traffic is handled locally for all resources in its site. This is not a replication issue; therefore, answer A is incorrect. Explicit UPNs are used to simplify logon procedures in a multidomain forest. They are not needed in a single-domain operation; therefore, answer C is incorrect. Because this is an issue of traffic unnecessarily routed over the slow link, there is no need for a faster link such as a T1. Therefore, answer D is incorrect. See the section "Configuring Site Boundaries."

Suggested Readings and Resources

  1. Multiple Forest Considerations from Microsoft's Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/mtfstwp.asp.

  2. Step-by-Step Guide to Using Active Directory Schema and Display Specifiers from Microsoft's Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/AD/windows2000/howto/adschema.asp.

  3. Trust Types from Microsoft's Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/domadmin_concepts_trusts.asp.

  4. Microsoft Windows Server 2003 Resource Kit, Directory Services Guide, Microsoft Press, 2003.

  • + Share This
  • 🔖 Save To Your Account