×

Uh-oh, it looks like your Internet Explorer is out of date.

For a better shopping experience, please upgrade now.

MCSE Migrating from NT4 to Windows 2000 Exam Cram
     

MCSE Migrating from NT4 to Windows 2000 Exam Cram

5.0 1
by Deborah Haralson, Doug Bassett (Joint Author), Derek Melber (Joint Author)
 
100% exam-focused information covers all curriculum objectives for the Upgrading Windows NT to Windows 2000 exam (70-222). A perfect complement to the MCSE Upgrading from NT 4 to Windows 2000 Exam Prep or other study materials. Contains a complete practice exam featuring questions designed to assess the reader's readiness to take the exam, and the answers and

Overview

100% exam-focused information covers all curriculum objectives for the Upgrading Windows NT to Windows 2000 exam (70-222). A perfect complement to the MCSE Upgrading from NT 4 to Windows 2000 Exam Prep or other study materials. Contains a complete practice exam featuring questions designed to assess the reader's readiness to take the exam, and the answers and explanations that reinforce the reasoning behind the correct answers. Features an exclusive Self-Assessment section that will help the reader evaluate their knowledge base against the requirements for MSCE certification under both ideal and real circumstances.

Product Details

ISBN-13:
9781576107171
Publisher:
Coriolis Group
Publication date:
03/28/2001
Series:
Exam Cram 2 Series
Pages:
448
Product dimensions:
6.04(w) x 9.02(h) x 1.11(d)

Read an Excerpt

Active Directory vs. NT 4 Directory Service Structure

Terms you'll need to understand:

  • Directory service
  • Active Directory
  • Primary domain controller (PDC)
  • Backup domain controller (BDC)
  • Single domain model
  • Single-master domain model
  • Multimaster domain model
  • Complete trust domain model
  • Forest
  • Tree
  • Domain
  • Organizational unit (OU)
  • Site
  • DNS (Domain Name Service)
  • WINS (Windows Internet Naming Service)

Techniques you'll need to master:

  • Identifying and contrasting the logon processes of NT and Active Directory
  • Identifying the roles of the primary and backup domain controllers in a variety of domain models
  • Identifying the role of the Active Directory domain controller
  • Identifying the Flexible Single Master Operations (FSMO) server roles in a forest
  • Identifying the Flexible Single Master Operations server roles in a domain
  • Identifying the purpose and placement of a tree in an Active Directory forest
  • Identifying the purpose and placement of a site in an Active Directory forest
  • Identifying the purpose and placement of a domain in an Active Directory tree
  • Identifying the purpose and placement of an organizational unit in an Active Directory domain
  • Identifying the purpose of DNS in Active Directory
The largest learning curve that confronts the MCSE2K wanna-be is the completely alien vocabulary and undiscovered pitfalls of Windows 2000. The purpose of this chapter is to demystify Active Directory and compare it to NT's way of doing things. If you consider yourself a master of NT and Active Directory, we recommend that you peruse the section titles for areas you might want to review. Microsoft is extremely interested in ensuring that migration specialists are conversant with the old ways and the new ways of ensuring successful access to network resources. This level of concern is easily evident in the depth of testing that probes material mastery. Skip this chapter at your own peril.

Purpose of a Directory Service

The purpose of a directory service is simple-you use a directory service to locate something. Once you have that something located, you can then gather information about it and use it for your desired purpose.

An example of a directory is the phone book. It contains white pages listing residential phone numbers and yellow pages listing business services. The purpose of a phone book is to locate people or services. If we apply this analogy to Windows 2000, we can say that Active Directory is a listing of user accounts that correspond to the residential phone entries. Active Directory also holds a listing of services that are offered on a network. This is like looking in the yellow pages for the nearest dry cleaners or pizza delivery outlet. The services advertised in Active Directory can include anything from a file server, a printer, or even the nearest domain controller. Obviously, we don't call these listings phone numbers. Microsoft calls pretty much everything in Active Directory an object.

Active Directory-The Nickel Tour

Objects in Active Directory are like records in a database. Let's say you have a record that lists a person's first name and last name. That record could be called a user record. In Active Directory, this information would be contained in a user object. There are user objects, server objects, printer objects, and file-share objects; the list goes on and on. If Active Directory doesn't have the object you want, you can always make more objects. Each of these objects has a variety of attributes. These attributes would correspond to the database record's field for the first name or the last name in a user record. Active Directory is a place to store all of the objects and attributes in an enterprise environment. We use Active Directory to locate these various objects-either by name or by one of the many attributes the objects contain. Active Directory is pretty much the foundation of a Windows 2000 network.

NT-SAM I Am

Windows NT's directory service is called the Security Accounts Manager database (SAM). This database's purpose is the same as that of Active Directory: The SAM is used to find something and to get information about what you found. One of the major differences is that the SAM contains only the white pages of our phone book. The NT SAM has only user accounts, groups, and machine accounts. It doesn't offer nearly the wealth of information that even the most bare-bones Active Directory implementation does.

Basic Structure and Terminology

It is difficult, if not impossible, to understand the nature of a forest without being familiar with the nature of a tree. In Active Directory's case, you have to know about the forest, the tree, the organizational unit, and the site. To successfully pass the exam on migration from NT SAM to Windows 2000 Active Directory, you must master each of the elements contained in both NT and Windows 2000. If you are completely familiar with how NT and 2000 interoperate and you want to get into the meat of migration, you can skip to Chapter 3, which discusses group policy. Be warned, however, that the exam assumes an extremely thorough understanding of the way NT does things and of what a transformation professional must do to ensure similar and enhanced performance.

NT-There Can Be Only One!

If you are entirely familiar with how NT distributes and acts on the Security Accounts Manager database, you might want to skip ahead and read the sections prefaced with the title Active Directory. But if you want a refresher or are new to NT, this section is solid gold. Without understanding how NT works in comparison to Active Directory, you won't get as much out of the sections on Active Directory.

The undisputed king and tyrant in the NT world is the primary domain controller (PDC). This beast will not tolerate anyone usurping its role in the network. If a PDC comes back after a well-deserved reboot and finds an impostor claiming the throne, it will throw a fit, shut down its services, and sulk. This is by design. The PDC in an NT domain is the only server that has the keys to the kingdom. The PDC holds the only Read/Write copy of the Security Accounts Manager database. If any changes need to be made-such as adding a user or changing a password-the PDC is the one you must deal with. Sulking is NT's way of preventing two PDCs from fighting it out for ultimate supremacy. The PDC doesn't have to do its job entirely alone. Any administrators worth their salt will add fault tolerance and load balancing by installing backup domain controllers (BDCs). The BDC holds a Read-Only copy of the SAM.

Any time someone, hopefully an administrator, changes the Security Accounts Manager database, the PDC replicates the new information to the BDC(s) throughout the network. If the PDC happens to be down, no changes can occur and administration of the user accounts is impossible. This creates a single point of failure.

  • PDC-This machine holds the only Read/Write copy of SAM.
  • BDC-These machines have a Read-Only copy of SAM.

Active Directory-A Domain Controller Is a Domain Controller

Active Directory uses a multimaster replication model. This means that every Windows 2000 domain controller has a Read/Write copy of Active Directory. When an administrator needs to add a user account, or update one of the several attributes associated with the account, he or she can contact any domain controller. After the changes are made, this domain controller notifies other domain controllers, and they come get the latest information. This scheme ensures a certain level of fault tolerance and network load balancing. Active-Directory-aware clients-such as Windows 2000 Professional or Windows 95/98/NT running the Active Directory client-can contact a domain controller close to them to perform routine account maintenance, such as changing passwords. Gone are the days of rushing to the PDC every 45 days because the password is expiring.

Understanding the multiple-master aspect of Active Directory is critical to managing migration properly. In the old days, password changes would sometimes have to traverse WAN links to find the PDC. This led to the proliferation of multiple domains so the user accounts could have a PDC located nearby. The PDC mindset is one hurdle that you must overcome when shifting to Windows 2000.

NT Domain Validation

NT domain controllers have many jobs, but their main purpose is to validate users. Users must be validated by a domain controller before they are allowed access to network resources. You need to fully comprehend how each of the important points works. That way you can support users throughout the 2000 transformation and, what's more important, laugh at those feared case-study questions.


Note: In the following procedures, the steps in boldface type are the primary concerns when you're moving from NT domains to Active Directory. It's not necessary to memorize them for the exam, but you should be familiar with them.

In Windows NT, when a user does the three-finger salute by pressing Ctrl+Alt+Del, the following events are triggered:

1. The computer presents the user with a dialog box that asks for a username, a password, and a domain.

2. This information is presented to the Local Security Authority (LSA) for validation.

3. The LSA checks whether the user is attempting to validate against the local machine's SAM or whether domain validation is being requested.

4. The machine tries to locate a domain controller to which it can send the username and password for domain validation.

5. The logon username and password are passed to the domain controller that was found.

6. The domain controller locates the username in the SAM and verifies the password.

7. The domain controller returns the user account's security identifier (SID), which uniquely identifies that account in the network.

8. The domain controller returns group membership tokens that list the SIDs of any groups that contain the user account.

9. The domain controller returns the path of any user logon scripts that were associated with the user account.

10. The domain controller returns the path to the user's roaming profile, if one is assigned.

11. The computer then goes to the validating domain controller's NETLOGON share to look for any system policies associated with the machine SID, the user account SID, or group SIDs that have the user account as a member.

12. All policies are applied, the user profile is downloaded, and any user logon scripts are executed.

13. The user then gets access to the desktop.

Active Directory Domain Validation

In Windows 2000, when a user does the three-finger salute by pressing Ctrl+Alt+Del, the following events are triggered:

1. The computer presents the user with a dialog box that asks for a username and a password. The domain is displayed only if the user requests it or if the previous logon attempt failed.

2. This information is presented to the Local Security Authority (LSA) for validation.

3. The LSA checks whether the user is attempting to validate against the local machine's SAM or whether domain validation is being requested.

4. The machine tries to locate a domain controller for domain validation.

5. Windows 2000 creates a Kerberos authentication request containing the username and a random number. This random number is embedded twice in the request message: once in clear text and once encrypted using the user's typed-in password. This message is passed to the domain controller that was found. Notice that the password itself never hits the wire. L0PHTCRACK can't break a password that never leaves the computer. This process ensures that only a real domain controller from your real domain can respond to the authentication request because any responses are also encrypted. The famous man-in-the-middle attacks, in which the evil computer criminal impersonates your domain controller and steals information from your user credentials or off of your machine, are no longer as likely.

6. The domain controller locates the username in Active Directory and decrypts the encrypted number with the password stored in Active Directory. If the clear text and decrypted numbers match, the user is authenticated. If they don't match, the attempt fails.

7. The domain controller returns the user account's security identifier (SID), which uniquely identifies that account in the network.

8. The domain controller and the global catalog server return group membership tokens that list the SIDs of any groups that contain the user account.

9. The domain controller returns the path of any user logon scripts that were explicitly associated with the user account. This is primarily for backward compatibility.

10. The domain controller returns the path to the user's roaming profile, if one is assigned.

11. The domain controller provides the machine with the user portion of the assigned group policies associated with that user account. The computer portion of the group policy was already activated when the computer booted.

12. All policies are applied, the user profile is downloaded, and any user logon scripts are executed.

13. The user then gets access to the desktop.

Windows Active Directory adds security, stability, load balancing, and flexibility to an already impressive array of tools provided to the network administrator. With this power comes responsibility. One of the few opportunities you have to fundamentally change the way you do business arises when you are moving from one network enterprise infrastructure to another. Proper understanding of the interrelationships and contrasts between NT and 2000 will make it a lot easier to solve those case-study problems. Typically you are presented with a set of challenges, and you will leverage your understanding of the inner workings of Active Directory and NT to ensure that all of your bases are covered. We will now examine and contrast each of the critical points in the validation process. You must know the difference because that is the key that unlocks this exam.

NT-Locating a Domain Controller

You have only four methods for locating either the PDC or a BDC, and these methods are always used in the order in which they're listed here. Realize that once you locate a domain controller, you stop and don't use any of the other methods. This makes it easier to...

Meet the Author

Kurt Hudson is a Microsoft Certified Trainer and a Microsoft Certified Systems Engineer. He has trained for Productivity Point, TeKnowledge, and a variety of private organizations, and co-authored The IIS 3.0 Bible (IDG, 1997).

Derek Melber, MCSE, MCP+I, A+ (Phoenix, AZ) has trained and sold solutions to AT&T Boeing, Intel, Citibank, Walt Disney, United Airlines, Hewlett Packard, Compaq, Sony, the department of Education, all branches of the military and Microsoft.

Deborah Haralson, MCSE, currently works as Manager of Information Systems for TrainAbility in Scottsdale, Arizona. Deborah has worked in the technology industry for over 10 years after getting her start helping customers with software problems for Moon Valley Software. From there she advanced in her career with MicroAge, Gateway Data Sciences, Honeywell, Mastering Computers, and CB Richard Ellis serving in a variety of roles such as DBA, Programmer, Network Administrator, Manager, and Systems Engineer. A quick study, Deborah earned her MCSE in just eight weeks.

Doug Bassett, MCSE, is actively involved in the leading edge of E-learning. He has provided the latest in certification training to thousands of people, worldwide. He is among the first one hundred Windows 2000 MCSE's. He has performed technical reviews and exam accuracy checks for five books, encompassing the entire spectrum of Windows 2000 support and certification. Doug has been in the computer industry for over 20 years, starting with teaching computer science classes while still in High School. As a Gulf War Veteran, Doug has worked in a variety of opportunities ranging from computer assembler, end-user support professional, network administrator, network design engineer, and now Senior Technical Instructor.

Customer Reviews

Average Review:

Post to your social network

     

Most Helpful Customer Reviews

See all customer reviews

MCSE Migrating from NT4 to Windows 2000 Exam Cram 5 out of 5 based on 0 ratings. 1 reviews.
Guest More than 1 year ago
It was a lot of fun writing this book. I have been using Windows 2000 since the Alpha and this is a culmination of all of those long nights bleeding over the systems. This book takes you by the hand and guides you on the path to obtaining the migration elective certification.