Study Guide Preview Cert MSCert Microsoft Cert-1Z0-050 DBCert Oracle Cert CompCert CompTIA

Transcription

1 Study Guide Preview Cert MSCert Microsoft Cert-1Z0-050 DBCert Oracle Cert CompCert CompTIA

2 Study Guide Preview Cert MSCert Microsoft Cert-1Z0-050 DBCert Oracle Cert CompCert CompTIA

3 Microsoft Guide Contents Contents... 3 About Your Transcender Study Guide... 4 Configuring the Domain Name System (DNS) for Active Directory... 5 Configure Zones... 6 Configure DNS server settings Review Checklist: Configuring the Domain Name System (DNS) Configuring the Active Directory Infrastructure Configure a Forest or a Domain Configure Trusts Configure Sites Configure Active Directory Replication Configure the Global Catalog Configure Operations Masters Review Checklist: Configuring the Active Directory Infrastructure Configuring Additional Active Directory Server Roles Configuring Active Directory Lightweight Directory Service (AD LDS) Configuring Active Directory Rights Management Service (AD RMS) Configuring a Read-only Domain Controller (RODC) Scope Configuring Active Directory Federation Services (AD FS) Scope Review Checklist: Configuring Additional Active Directory Server Roles Creating and Maintaining Active Directory Objects Automating the Creation of Active Directory Accounts Maintaining Active Directory Accounts Creating and Applying Group Policy Objects (GPOs) Configuring GPO Templates Scope Configuring Software Deployment GPOs Configuring Account Policies Scope Review Checklist: Creating and Maintaining Active Directory Objects Maintaining the Active Directory Environment Configure Backup and Recovery Perform Offline Maintenance Monitor Active Directory Review Checklist: Maintaining the Active Directory Environment Configuring Active Directory Certificate Services Install Active Directory Certificate Services Configure CA Server Settings Manage Certificate Templates Manage Enrollments Manage Certificate Revocations Review Checklist: Configuring Active Directory Certificate Services Test Taking Strategies

4 Microsoft Guide About Your Transcender Study Guide IT professionals agree! Transcender has consistently been voted the industry's #1 practice exam. This Study Guide complements your TranscenderCert TM practice exam. The Study Guide is objective-driven and contains a variety of tools to help you focus your study efforts. Each Study Guide contains structured sections to help you prepare for your certification exam: Scope :: identifies the learning objectives for each section Focused Explanation :: provides definitions, in-depth discussions and examples Review Checklist :: highlights the key learning points at the end of each major section Additional sections to further assist you are located at the end of each Study Guide: Test Taking Strategies General Tips Explanation of Test Item Types The following study model will help you optimize your study time. Develop a Study Plan Assess your knowledge Focus on weak areas Track your progress Prepare To Pass Start early, at least 6 weeks out Don t try to cram Set aside specific study times Use a disciplined approach so you can thoroughly prepare Stick to your plan Assess your current knowledge level Take a Transcender practice exam using Preset Experience The objective-based score report shows you the areas where you are strong and the areas where you need to focus your study efforts Read the Study Guide by objective Use the practice exam in Optimize Experience mode Study the test items by objective Use the included TranscenderFlash cards to review key concepts Use your favorite references to get further information on complex material Take a Transcender practice exam using Preset Experience again If you didn t score 100%, go back to your study plan and focus on weak areas Study those objective areas where you didn t score 100% Keep practicing until you consistently score 100% in all areas Transcender s commitment to product quality, to our team and to our customers continues to differentiate us from other companies. Transcender uses an experienced team of certified subject-matter experts, technical writers, and technical editors to create and edit the most indepth and realistic study material. Every Transcender product goes through a rigorous, multistage editing process to ensure comprehensive coverage of exam objectives. Transcender study materials reinforce learning objectives and validate knowledge so you know you re prepared on exam day. 4

5 Microsoft Guide Configuring the Active Directory Infrastructure 39

6 Microsoft Guide Configure a Forest or a Domain Scope Learn to install Active Directory Domain Services (AD DS). Learn to remove a domain. Learn to raise forest and domain functional levels. Focused Explanation Active Directory Domain Services (AD DS) is a server role of the Windows Server 2008 operating system. AD DS provides a distributed directory service that can be used for centralized, secure management of a network. AD DS is required for directory-enabled services. Installing AD DS Before installing the AD DS server role on a server, you must configure appropriate Transmission Control Protocol/Internet Protocol (TCP/IP) and DNS server addresses. You can add the AD DS server role by starting the Add Roles wizard from the Server Manager console. This wizard installs files that are required to setup and configure AD DS on a server. After installing the necessary files, the wizard prompts you to run the dcpromo command at the command-line. Unattended Installation of AD DS There are several new options in Windows Server to perform an AD DS unattended installation. The unattended installation method is typically used for Server Core installations. The unattended installation method to install AD DS is the same whether a server is running a full installation or a Server Core installation of Windows Server The dcpromo command provides you with two different methods to perform an unattended installation. You can create an answer file that contains all the required parameters or you can use the /unattend option and specify all the required parameters in the command line. The syntax for the dcpromo command is as follows: dcpromo [/answer[:<filename>] /unattend[:<filename>] /unattend Note: For the /answer option, you must specify the answer file name that contains installation parameters and values. However, for the /unattend option, specifying an answer file name is optional. 40

7 Microsoft Guide Using Active Directory Migration Tool (ADMT) v3 The ADMT v3 simplifies the process of restructuring the operating environment to meet an organization s requirement. You can use ADMT v3 to migrate users, groups, and computers from Microsoft Windows NT 4.0 domains to Active Directory domains. ADMT v3 can also be used to migrate between Active Directory domains in different forests, known as interforest migration; and between Active Directory domains in the same forest, known as intraforest migration. ADMT v3 also performs security translation from Windows NT 4.0 domains to Active Directory domains and between Active Directory domains in different forests. Using the Forestprep and Domainprep utilities Adprep.exe is a command-line tool that extends the Active Directory schema and updates permissions to prepare a forest and domain for a Windows Server 2008 DC. The dcpromo command-line tool is accessible from the Windows Server 2008 DVD. You can go to \sources\adprep folder to access the adprep.exe command-line tool and use the elevated command prompt to run the command. The syntax of the adprep command is as follows: adprep {/forestprep /domainprep /domainprep /gpprep /rodcprep /wssg /silent} The /forestprep option The /forestprep option prepares a forest for a Windows Server 2008 DC. Running the adprep /forestprep command can only be run once and is performed at the forest level. This command should be run only on the DC that holds the schema operations master role. The administrator who runs this command must be a member in at least one of the following groups: Schema Admins group Enterprise Admins group Domain Admins group Domainprep is the option used to set up a domain for a Windows Server 2008-based domain controller. First, run the adprep /forestprep command. After the changes replicate to all the DCs in the forest, run the adprep /domainprep command in each domain that contains a Windows Server 2008 DC. However, you must ensure that the DC holds the infrastructure operations master role for the domain. An administrator must be a member of the Domain Admins group to run this command. You can also use the /domainprep with the /gpprep option. The /gpprep option also provides needed updates, which are necessary for enabling the Resultant Set of Policy (RSoP) Planning Mode functionality. 41

8 Microsoft Guide Removing a Domain To remove an Active Directory domain, you must first demote all DCs that are associated with the domain. If a DC is a global catalog, ensure that another global catalog is available before demoting it. To remove a domain, you must hold a membership in one of the following groups: Domain Admins group in the forest root domain Enterprise Admins group Before you attempt to remove a domain in your Active Directory environment, you must be aware that removing a domain will erase all domain records, such as user/computer accounts, group membership accounts, and more. To remove a domain, perform the following steps: 1. Run the dcpromo command on the last DC in the domain. 2. When the Active Directory Installation wizard appears, click Next. 3. When the Remove Active Directory page appears, select the This server is the last domain controller in the domain check box. 4. Click Next and follow the wizard prompts to complete the domain removal process. 42

9 Microsoft Guide Raising the Functional Levels of Windows Server 2008 Forests and Domains Windows Server 2008 provides three domain and forest functional levels: Windows 2000, Windows Server 2003, and Windows Server Windows 2000 is the default functional level for forests and domains. Once the functional level of a domain or forest is raised, DCs that are running previous versions of Windows cannot be added. For example, if the domain or forest functional level is raised to Windows Server 2003, then no Windows 2000 Server DCs can be added. To raise a domain s functional level, perform the following steps: 1. Open the Active Directory Domains and Trusts console from Administrative Tools. 2. Select the domain from the console tree. Open the Action menu and click Raise Domain Functional Level. 3. When the Raise Domain Functional Level dialog box appears, select the appropriate functional level from the drop down menu and click OK. The available domain functional levels are as follows: Windows Server 2003: Choose this level if your network infrastructure includes Windows Server 2003-based DCs. Windows Longhorn Server: Choose this level if your network infrastructure includes only Windows Server 2008-based DCs. 4. Click OK to confirm the domain functional level. If you encounter problems in raising the functional level for a forest, click Save As in the Raise Forest Functional Level dialog box. Doing so will save a log file that specifies which DCs in the forest need to be upgraded. 43

10 Microsoft Guide Configure Trusts Scope Understand trust relationships. Learn about selective authentication. Learn about forest-wide authentication. Focused Explanation A trust relationship is a relationship between domains that allows the DC of one domain to authenticate users from another domain. For example, if a trust relationship exists where Domain A trusts Domain B, then Domain B users can access resources in Domain A and can log on to stations in Domain A with their user accounts and passwords from Domain B. Trusts in a forest are created automatically during the creation of domains. Trusts can be configured in two directions: one-way, which is referred as non-transitive, or two-way, which is referred to as transitive. Transitive trust is automatically created for all domains within a forest. In active directory, all trust relationships within a forest are two-way or transitive trusts. In a transitive trusts, the relationship between domains is not only two-way but also transitive. For example, Domain1 has a transitive trust relationship with Domain2 and Domain2 has a transitive trust relationship with Domain3. In this scenario, a transitive trust relationship is automatically formed between Domain1 and Domain3. Transitive Trust Relationships A transitive trust relationship is created automatically for all domains within a forest. Therefore, any domain in the forest can authenticate any domain-based account from any domain within the forest. With a single logon process, accounts with the proper permissions can access resources in any domain in the forest.. You can use the New Trust Wizard to manually create various transitive trusts, such as a Shortcut trust, a Forest trust, or a Realm trust. As its name implies, a shortcut trust will shorten the trust path. Shortcut trusts are generally configured in a large and complex domain tree or forest in the Active Directory environment where a transitive trust is formed between a domain in the same domain tree or forest. A forest trust designed to form a transitive trust between the Forest root domain and a second forest root domain. In case of a Realm trust, you form a transitive trust between the following: Active Directory domain Kerberos V5 realm 44

11 Microsoft Guide Configuring Shortcut Trusts If users have to logon to different domains in a tree multiple times a day, and the domains are not directly connected, the authentication request will traverse to the highest common domain. A shortcut trust between two such domains eliminates the need for user logon authentication at each traversed domain. You can create a shortcut trust by using the netdom trust command. To configure a shortcut trust, you must perform the following steps: 1. Open the Active Directory Domains and Trusts console from Administrative Tools. 2. Right-click the domain node for the domain with which you want to establish a shortcut trust from the console tree. 3. Click Properties and select the Trusts tab. 4. Click New Trust, then click Next to access the Trust Name page. 5. Specify the DNS and NetBIOS names for the domain, then click Next. 6. On the Direction of Trust page, perform one of the following actions: For users in this domain and users in the specified domain to use this trust path, click Twoway. For only users in this domain to use this trust path, click One-way:incoming. For only users in the specified domain to use this trust path, click One-way:outgoing. 7. Continue to follow the instructions in the wizard. If you want to create both sides of a shortcut trust at the same time, click the Both this domain and the specified domain option on the Sides of Trust page. To be able to perform this configuration, you must have administrative rights in both domains to configure this type of trust relationship. Selective Authentication Trusts between forests can use legacy authentication settings or selective authentication. Selective authentication is a security setting for external trusts and trusts between forests. With selective authentication, administrators can choose the users who should have rights to access shared resources in the trusting forest. Selective authentication helps enable Active Directory administrators grant permission for specific users in another forest. Configuring selective authentication To enable selective authentication, you must use the following command: Netdom trust TrustingDomainName /domain: TrustedDomainName /SelectiveAuth:Yes /usero:domainadministratoracct/password:domainadminpwd 45

12 Microsoft Guide To enable selective authentication over an external trust by using the Windows interface, you must perform the following steps: 1. Open Active Directory Domains and Trusts console from Administrative Tools. 2. From the console tree, select the appropriate domain. 3. Open the Action menu and click Properties. 4. Open the Trusts tab and select the appropriate external trust: Domains trusted by this domain (outgoing trusts) Domains that trust this domain (incoming trusts) 5. Click Properties and select the Authentication tab. 6. Click the Selective Authentication option. 7. Click OK. To enable selective authentication over a forest trust by using the Windows interface, you must perform the following steps: 1. Open the Active Directory Domains and Trusts console. 2. In the console tree, right-click the domain node for the forest root domain, and click Properties. 3. On the Trusts tab, select the forest trust that you want to configure under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), then click Properties. 4. On the Authentication tab, click Selective authentication, then click OK. 46

13 Microsoft Guide Forest-wide authentication The forest-wide authentication setting permits unrestricted access to all available resources in any of the domains in the trusting forest. This is the default authentication setting for forest trusts, and it is representative of the way authentications can be routed without restriction. You can enable forest-wide authentication over a forest trust by using the New Trust wizard in Active Directory Domains and Trusts or by using the Netdom command-line tool. To enable forest-wide authentication over a forest trust by using the Windows interface, you must perform the following steps: 1. Open the Active Directory Domains and Trusts console. 2. In the console tree, right-click the forest root domain, and click Properties. 3. On the Trusts tab, select the forest trust that you want to configure under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), then click Properties. 4. On the Authentication tab, click Forest-wide authentication, then click OK. Note: Only the authentication settings for the outgoing trust are displayed when you click the Authentication tab. To view the correct authentication settings for the incoming side of a two-way forest trust, connect to a DC in the trusted domain, then use the Active Directory Domains and Trusts console to view the authentication settings for the outgoing side of the same trust. 47

14 Microsoft Guide Configure Sites Scope Learn to create Active Directory subnets. Learn to configure site links. Learn to configure site infrastructure. Focused Explanation Sites are the physical structure, or topology, of a network. In a network, sites represent the physical structure. Site objects and their contents are replicated to all DCs in the forest, regardless of the domain or site. You can use the Active Directory Sites and Services snap-in to manage the site, subnet, and site link objects that combine to influence the replication topology. Create a Subnet A site consists of subnets. A subnet is the set of all addresses behind a single interface on a router. When you associate a site with one or more subnets, you assign a set of IP addresses to the site. The address prefix for an AD DS subnet must conform to the IP version 4 (IPv4) or IP version 6 (IPv6) format. To create a subnet, you must access Active Directory Sites and Services console from Administrative Tools, then perform the following steps: 1. Under console tree, expand Sites. 2. Select Subnets, access the Action menu and click the New Subnet option. The New Object Subnet dialog box appears. 3. Type your subnet prefix, for example, IPv4 or IPv6, under the Prefix section. 4. At the bottom of the New Object Subnet dialog box, select the site that will be associated with this subnet. 5. Click OK. 48

15 Microsoft Guide Site links To provide the most updated Active Directory information, you replicate the Active Directory or the default site associated with it. To replicate a site, you must create another site, then transfer the information to the second site. The transfer of information is possible only if the sites are connected or if there is a route between the sites for the information to travel. The association or route between sites is referred to as a site link. To create a site link, you must first access Active Directory Sites and Services from Administrative Tools, and then perform the following steps: 1. Under console tree, expand Sites > Inter-Site Transport. 2. Select the inter-site transport protocol, for example IP or SMTP. 3. Click Action in the menu bar. 4. Click New Site Link. The New Object Site Link dialog box appears. 5. Specify a unique name for your new site link. 6. Under Sites not in this site link, select each site from the left pane and click the Add button. Click the Remove button to remove any site from the list. 7. Click OK. Site link costing When more than one route is available between two sites, inter-site replication occurs on the route with the least cost. If a DC is not available at the time that the replication topology is created, the next leastcost route is used. All site links are transitive and the Bridge all site links option is enabled by default. A site link bride creates a bridge between multiple sites. The site link bridge allows site links to have a common site between different sites. To configure site link cost, you must first access Active Directory Sites and Services console from Administrative Tools, and then perform the following steps: 1. Under console tree, expand Sites > Inter-Site Transport. 2. Select the site link from the right pane then click Action from the menu bar 3. Click Properties. 4. Specify a value for the cost of replication. This needs to be performed in the Cost section in the site link properties window. 5. Click OK. Note: You cannot apply costs directly to site link bridges. 49

16 Microsoft Guide Configure Site Infrastructure Site infrastructure is stored in the directory as site, subnet, and site link objects. When you add the AD DS server role to create the first DC in a forest, a default site is created in AD DS. If this is the only site in the directory, all DCs are assigned to this site. If your forest has multiple sites, you must create subnets that assign IP addresses to the default and additional sites. Multiple subnets can be attached to a site. To associate a subnet with a site, you must access Active Directory Sites and Services console from Administrative Tools, then perform the following steps: 1. Under console tree, expand Sites. 2. Select Subnets. Click Action from the menu bar. 3. Click Properties. 4. Under the properties window of your subnet, select the site. You perform this step to associate site with the subnet. After you associate the subnets, you have to create site links with the other sites in your network. This needs to be performed only if your network consists of multiple sites. 50

17 Microsoft Guide Configure Active Directory Replication Scope Learn to configure one-way replication. Learn to configure a bridgehead server. Learn to configure replication scheduling. Learn to configure replication protocols. Focused Explanation The Active Directory database on any DC can be changed. All DCs in the Active Directory environment maintain a record of any modification made to any DC in the forest. Replication in Active Directory enhances the ability to maintain synchronized records on all DCs. In addition, it also ensures that any modification made to the replica on one DC is updated in the records of other DCs. Replication can happen only between two DCs, whereas information synchronization can be performed for an entire forest of DCs in the Active Directory environment. Configure One-way Replication To configure Active Directory replication between two sites, replication should be performed on a continual basis. A replication connection varies between a persistent connection and a one-way initiated on-demand connection. If you imply a persistent connection, you can also configure replication scheduling by specifying time intervals for replication to happen. A one-way initiated on-demand connection is more of a manual process where Active Directory replication is initiated from a particular site whenever there is a need. Microsoft recommends that you build a reciprocal replication when you plan to initiate a one-way Initiated on-demand connection configuration by using the Active Directory Service Interfaces (ADSI) Edit snap-in. Great care should be taken when making any changes to the Active Directory object attributes in the ADSI Edit snap-in. Incorrect changes could cause severe problems to the server s operating system, which may require reinstallation to correct. To enable one-way replication on a site link, you must perform the following steps: 1. Use the adsiedit.msc run command to open the ADSI Edit snap-in on a DC. 2. Under Connection Point choose Select a well know Naming Context. Choose Configuration. 3. Navigate to the Configuration Sites Inter-Site Transports containers. 4. Select the CN=IP option. 51

18 Microsoft Guide 5. Under the Details pane, right-click the desired site link object and click the Properties option. Note: The site link objects that you choose are for the sites for which you wish to enable reciprocal replication. 6. Under the Attributes box, double-click Options. 7. From the Integer Attribute Editor dialog box, you can perform one of the following actions: Specify the value as 2, if the Value box displays the value as <not set>. If a value is displayed, you should convert the integer value to a binary value. In addition, use the binary or operation to join that value with the binary value of 0010, then specify the outcome of the integer value under the Value box. Configure a Bridgehead Server When communication takes place between different sites, it is advantageous to reduce the amount of bandwidth used. To accomplish this, the Knowledge Consistency Checker (KCC) automatically selects a server that will handle communication for each site. These servers are known as bridgehead servers. The selection process for a bridgehead server can be performed manually. You can select a server to function as a primary bridgehead server. For added redundancy, you can also select multiple servers. However, only one server can be active at any given time. The other servers function as backup servers and only become active when the active bridgehead server fails. In the event that none of the designated servers is available, the task of inter-site communication is handled by a DC. To designate a bridgehead server, you must access Active Directory Sites and Services console from Administrative Tools, then perform the following steps: 1. Expand the Sites branch node. 2. Expand the site node that contains the server. 3. Select the Servers container. 4. Right-click the server and select Properties. 5. Choose the protocol for which the server should function as a preferred bridgehead server. Then click OK. 52

19 Microsoft Guide Configure replication scheduling To control replication between two sites, also known as inter-site replication, and to configure settings on the site link object to which the sites are added, you can use the Active Directory Sites and Services snap-in. By configuring certain settings on a site link object, you can when and how often replication occurs between two or more sites. To configure inter-site replication availability, you must access the Active Directory Sites and Services console from Administrative Tools, and perform the following steps: 1. In the console tree, select the inter-site transport folder that contains the site link for which you are configuring inter-site replication availability. 2. Select the appropriate site link, then click Action from the Menu bar. 3. Click Properties. 4. Click Change Schedule under the site link Properties window. Note: When you are logged on with an account that does not have sufficient credentials to change the schedule, you can still view the schedule by clicking View Schedule. Select the block of time during which you want replication to be either available or not available, and click Replication Not Available or Replication Available, respectively. Force Inter-site Replication A site object in Active Directory contains a compilation of IP subnets in which several sites are connected to each other for replication. Active Directory site management involves the following: the addition of new subnets the addition of new site link objects the configuring cost and scheduling for site links For inter-site replication optimization, an administrator can perform cost and scheduling modifications. You can also remove sites and associated objects during the following circumstances: if there is no need for replication if clients do not require sites or discover network resources Repadmin and replmon are the command-line tools that can be used to perform force replication. 53

20 Microsoft Guide Configure Replication Protocols To define a route for replication data to travel across the network, a replication topology is created. In order to create a replication topology, Active Directory must identify each DCs replication schedule. Site replication is performed by using the following protocols: Simple Mail Transfer Protocol (SMTP) Remote Procedure Call (RPC) Microsoft recommends use of SMTP protocol because it offers a higher level of security when a firewall boundary is crossed. You can also use Replication Monitor, which provides a graphical representation of replication topology. Configure the Global Catalog Scope Learn how to configure Universal Group Caching. Focused Explanation The global catalog (GC) is the set of all objects in a forest. GC, a DC in the Active Directory forest, is responsible for maintaining the following: Full copy records: Contains all objects of its host domain Partial copy records: Contains a read only copy of all other domains in the forest When you install AD DS, the first DC that you create in the Active Directory forest will automatically be created in the same DC. However, it is also possible to provide GC functionalities to other DCs in the forest. If necessary, you can also remove the GC from a DC. Universal Group Membership Caching In some scenarios, a new domain that is added to a forest does not have a GC server. In such a domain, if the DC is running Windows Server 2008, you can enable the Universal Group Membership Caching feature. When this feature is enabled, the user's universal group membership information is cached on the DC the first time that a user logs on to a domain. For subsequent logons, the DC uses cached memberships to process the logon. 54

21 Microsoft Guide Enabling Universal Group Membership Caching The Universal Group Membership Caching feature for a site can be enabled through the Active Directory Sites and Services snap-in. This can be performed by accessing the Properties window of the NTDS Site Settings and selecting the Enabling Universal Group Membership Caching check box under the Site Settings tab as displayed in Figure 2-1: Figure 2-1: NTDS Site Settings Properties Window When Universal Group Membership Caching is enabled, caching begins during the initial logon of universal and global group memberships, after which the cache is updated on a regular basis. You can also define which site is to be used by accessing the NTDS Site Settings Properties dialog box under the Site Settings tab. This can be performed from Refresh cache from list. In some cases, when you do not define any site to use, the cost setting that has been configured will determine which cost effective connection to be used to communicate with a GC server. To perform this action, the closest-site mechanism is followed. An Active Directory site should have a DC with a GC server and a DNS server installed. If you are concerned about the amount of replication traffic that the GC server produces, you can enable Universal Group Membership Caching for Active Directory sites that have 100 users or less and remove the GC server from the site. 55

22 Microsoft Guide Note: A local domain user can log on only to the local computer and will not be allowed to enter the domain. This is true when the GC server is not available and the local domain user has not previously logged in to the domain. By default, the privilege of logging on to the domain without an available GC is assigned only to domain administrators as they are allowed to log in to a domain even in the absence of GC server. Configure Operations Masters Scope Understand Flexible Single Master Operations (FSMO) roles. Learn to manage Operations Master roles. Learn how to extend Active Directory schema. Focused Explanation Active Directory in a Windows-based environment is referred to as a multimaster-enabled database system. This system consists of five Operations Master roles, or Flexible Single Master Operations (FSMO): Domain-Naming Master Schema Operations Master Relative Identifier (RID) Master Infrastructure Master Primary Domain Controller (PDC) Operations Master As a multimaster-enabled database, Active Directory provides greater flexibility by allowing modifications to occur on any DC in the forest. There are specific tasks allocated to each DC that contain one or more Operations Master roles, thereby ensuring greater efficiency towards updates that occur in the Active Directory database. The domain-naming master and schema operations master roles are considered forest-wide roles. This means that there will be only a single domain-naming master and schema operations master roles in the entire forest. However, of the other Operations Master roles, the RID master, the infrastructure master and the PDC operations master roles, are referred to as domain-wide roles. These roles are present in each domain of a forest. 56

23 Microsoft Guide Manage Operations Master Roles There are five operations master roles in Active Directory. Domain-Naming Master Role: The DC that holds the domain-naming Master role is responsible for managing the inclusion and exclusion of all domains in the directory partition. The following actions can be performed by a DC that has been designated as the domain naming master role: the removal of existing domains or addition of new domains to the forest the removal of existing application directory partitions or addition of new application directory partitions to the forest the replication of existing application directory partitions and the addition of the replicas to other DCs the addition of cross reference objects to external directories the removal of cross reference objects from external directories the preparation of a forest in order to rename a domain Schema Operations Master Role: The DC that holds the schema operations master role is the only DC in the entire forest that can perform write operations to the Active Directory schema. The schema operations master role in the Active Directory environment manages and performs updates that are necessary to the Active Directory schema. The DC that acts as the schema master role performs the necessary updates to the Active Directory schema; those updates are then replicated to the other DCs in the forest. Update conflicts are reduced because the schema operations master role is a forest-wide role. RID Master Role: The DC that holds the RID Master role is responsible for allocating blocks of RIDs to all DCs in the domain. This DC assigns a unique security identifier (SID) to every new object it creates. The SID is a combination of two identifiers: the domain SID and the RID. The domain SID uniquely identifies the domain, and all objects within that domain are assigned the same domain SID. The RID is unique for each object in a particular domain. These two identifiers form the SID for an object. Infrastructure Master Role: The DC that holds the infrastructure master role is an important part of managing updates to object references. The updates will be delayed in the Active Directory environment in the absence of the infrastructure master. This role is responsible for updating object references locally and keeping domain replicas updated by performing replications. The object reference consists of the Globally unique identifier (GUID) and Distinguished name. The infrastructure master periodically updates the distinguished name and the SID on the object reference and reflects all modifications that have been made to the original objects. 57

24 Microsoft Guide PDC Operations Master Role: On a network environment where the client computers in a particular network segment are operating without Active Directory client software or functioning without Windows NT backup domain controllers (BDC), the computer that holds the PDC operations master role acts as a Windows NT PDC to manage that network segment. It is also responsible for processing and managing logon password changes. If a user supplies an incorrect password while attempting to log on to a DC, the request for authentication is forwarded to the PDC operations master role before the DC rejects the authentication request. Reassigning Operations Master Roles There are two methods of reassigning an Operations Master role: transfer or seizure. The transfer method refers to moving the Operations Master role from one DC to another in the Active Directory environment. When you transfer an Operations Master role from one DC to another, the former DC replicates all recent updates to the new DC. This prevents information loss during the transfer. The former DC also reconfigures itself to accept the role transfer and resumes its normal operations without the particular Operations Master role. Role seizure is performed when an Operations Master role must be forcibly removed from a DC and assigned to another DC in the Active Directory domain. A disadvantage of performing a role seizure is that any recent changes made to the role will not be updated to the new DC; they will be lost. The former DC is not available to keep the updates and replicate the recent changes (as in the case of a transfer) during the role seizure process. Therefore, it is recommended that role seizure be performed only when no other option is available. The Active Directory Schema snap-in enables you to move the schema operations master role to a different DC. A domain-naming master role can also be moved to a different DC in the network by using the Active Directory Domains and Trust snap-in or the ntdsutil tool. With ntdsutil, you can seize or transfer any forest-wide and domain-wide role. If you decide to use the Active Directory Schema snap-in for moving the schema operations master role, then you should access the Active Directory Schema snap-in and perform the following steps: 1. Right-click Active Directory Schema from the console tree. 2. Click Change Domain Controller. 3. Click Specify Name to enter the DC to which the schema operations master role will be transferred. 4. Right-click Active Directory Schema from the console tree. 5. Click Operations Master. Then click Change. 58

25 Microsoft Guide To move a domain-level Operations Master role from the Active Directory Schema snap-in, perform the following steps: 1. Highlight Active Directory Users and Computers then click Action from the menu bar. 2. Click Connect to the Domain Controller. 3. Click the name of the server from the list of available DCs to which the role will be transferred.. 4. Click OK. 5. Highlight Active Directory Users and Computers, then click Action from the Menu bar. 6. Click All tasks, then click Operations Masters. The current operations master role holders are displayed in the lower box. 7. Click the tab that corresponds to the role that must be transferred: RID, PDC, or Infrastructure. 8. Click Change once the computer names that are displayed have been confirmed. 9. Click Yes to transfer the role. 10. Click OK. To seize an Operations Master role, you can run the ntdsutil.exe command from a command prompt, and then perform the following steps: 1. Under the ntdsutil utility, type roles, then press the Enter key at the ntdsutil: prompt. 2. When the fsmo maintenance: prompt in the ntdsutil utility appears, type connections, then press the Enter key. 3. When the server connections: prompt appears, type connect to server <servername>, then press the Enter key. 4. Once notified of a successful connection, type quit, then press Enter. Type the required command and press the Enter key according to the role that must be seized. This step should be performed at the fsmo maintenance: prompt in the ntdsutil utility. At the fsmo maintenance: prompt, type the appropriate command for the role that must be seized and press the Enter key. 59

26 Microsoft Guide Table 2-1 shows a list of the available commands: Role Credential Command Domain-naming master Enterprise Admins Seize domain naming master Schema operations master Enterprise Admins Seize schema master Infrastructure master Domain Admins Seize infrastructure master PDC operations master Domain Admins Seize pdc RID master Domain Admins Seize rid master Table 2-1: Seizing Role Commands The system asks for confirmation. It then attempts to transfer the role. When the transfer fails, the error information appears and the system proceeds with the seizure. After the seizure is complete, a list of the roles and the LDAP name of the server that currently holds each role appears. Note: During seizure of the RID master, the current role holder attempts to synchronize with its replication partners. If it cannot establish a connection with a replication partner during the seizure operation, it displays a warning and confirms that you want the role seizure to proceed. Click Yes to proceed. Run the quit command twice to exit from ntdsutil utility. Extending Active Directory Schema Some features and server roles require corresponding updates to the Active Directory schema. These schema additions are automatically installed when you create an Active Directory forest. Before extending the Active Directory schema, you must ensure that all DCs in the Active Directory forest are online and are performing inbound replication. Steps to extend the Active Directory schema 1. Log on to the computer that holds the schema operations master role as a member of the Schema Admins group and the Enterprise Admins group. Note: If you do not know which computer holds the schema operations master role, type Netdom query FSMO at a command prompt, then press Enter: 2. Type repadmin /showrepl to verify that the schema operations master has performed inbound replication of the schema directory partition since the last time server restarted. 3. Type adprep /forestprep at the command prompt, then press the Enter key. Note: When you change the schema on the schema operations master, the changes are automatically propagated to all other DCs in the forest. Therefore, it is not necessary to perform this operation on other DCs. 60

27 Microsoft Guide Review Checklist: Configuring the Active Directory Infrastructure Learn to install Active Directory Domain Services (AD DS). Learn to remove a domain. Learn to raise forest and domain functional levels. Understand trust relationships. Learn about selective authentication. Learn about forest-wide authentication. Learn to create Active Directory subnets. Learn to configure site links. Learn to configure site infrastructure. Learn to configure one-way replication. Learn to configure a bridgehead server. Learn to configure replication scheduling. Learn to configure replication protocols. Learn how to configure Universal Group Caching. Understand Flexible Single Master Operations (FSMO) roles. Learn to manage Operations Master roles. Learn how to extend Active Directory schema. 61

28 Microsoft Guide Test Taking Strategies The Microsoft Certified Professional (MCP), Microsoft Certified System Administrator (MCSA), Microsoft Certified System Engineer (MCSE), and Microsoft Technology Specialist (TS) credentials identify a standard of competence for entry-level and professional job roles that utilize Microsoft products. Microsoft's certification program is a recognized credential that signifies a proven level of knowledge and ability. With each level of certification, a higher benchmark of ability is set for greater opportunities and higher pay. The exam is a proctored exam, which may be taken at a Prometric testing center. Microsoft Certification Roadmap The TS: Windows Server 2008 Active Directory, Configuring exam fulfills the requirement for the Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration. For more information on this certification, visit This exam can also be used to fulfill a core exam requirement for the Microsoft Certified IT Professional: Enterprise Administrator and the Microsoft Certified IT Professional: Server Administrator certifications. A Microsoft candidate should combine training with on-the-job experience. Many of the exam questions are based on real-world scenarios so hands-on experience with the software is vital. Registering for the Exam An exam candidate may register for the at Resources There are several resources produced by Microsoft that you may use to prepare for this exam. These resources include the Microsoft Official Curriculum courseware used in instructor-led training, Microsoft Self-Paced Training Kits, and Microsoft Online Resources. For more information, see the Preparation Guide at 234

29 Study Guide Preview Cert MSCert Microsoft Cert-1Z0-050 DBCert Oracle Cert CompCert CompTIA

30 Oracle 1Z0-050 Study Guide Contents Contents... 3 About your Transcender Study Guide... 5 Installation and Upgrade Enhancements... 6 Install Oracle Database 11g... 7 Upgrade your Database to Oracle Database 11g... 8 Oracle Direct NFS Use Online Patching Review Checklist: Installation and Upgrade Inhancements Storage Enhancements Set up ASM Fast Mirror Resync Understand Scalability and Performance Enhancements Set up ASM Disk Group Attributes Use Various New Manageability Options Use the md_backup, md_restore, and remap ASMCMD extensions Review Checklist: Storage Enhancements Intelligent Infrastructure Enhancements Creating and Using AWR Baselines Setting AWR Baseline Metric Thresholds Control Automated Maintenance Tasks Using Database Resource Manager New Features Using New Scheduler Features Review Checklist: Intelligent Infrastructure Enhancements Performance Enhancements ADDM Enhancements Set up Automatic Memory Management Enhancements in Statistics Collection Review Checklist: Performance Enhancements Partitioning and Storage-Related Enhancements Implement New Partitioning Methods Employ Data Compression SQL Access Advisor Overview Create SQL Access Advisor Analysis Session using PL/SQL Using RMAN Enhancements Managing Archive Logs Duplicating a Database Back up Large Files in Multiple Sections Perform Archival Backups Create a Virtual Private Catalog for RMAN Review Checklist: Using RMAN Enhancements Using Flashback and LogMiner Overview of Flashback Data Archive Manage Flashback Data Archive Back out Transactions using Flashback Transactions Working with LogMiner Review Checklist: Using Flashback and LogMiner

31 Oracle 1Z0-050 Study Guide Diagnosability Enhancements Set up Automatic Diagnostic Repository Use Support Workbench Run Health Checks Use SQL Repair Advisor Review Checklist: Diagnosability Enhancements Database Replay Overview of Workload Capture and Replay Using Workload Capture and Replay Review Checklist: Database Replay Using the Data Recovery Advisor Overview of Data Recovery Advisor Repairing Data Failure Using Data Recovery Advisor Perform Proactive Health Check of the Database Security: New Features Configure the Password File to use Case Sensitive Passwords Encrypt a Tablespace Configure Fine Grained Access to Network Services Review Checklist: Security: New Features Oracle SecureFiles Use SecureFile LOBs to store documents with Compression, Encryption, De-duplication, and Caching 146 Use SQL and PL/SQL APIs to Access SecureFile LOBs Review Checklist: Oracle SecureFiles Miscellaneous New Features Describe and Use Online Table Redefinition Enhanced Fine Grained Dependency Management Use Enhanced DDL Apply the Improved Table Lock Mechanism, Create Invisible Indexes Use Query Result Cache and PL/SQL Result Cache Adaptive Cursor Sharing Temporary Tablespace Enhancements Review Checklist: Miscellaneous New Features SQL Performance Analyzer Overview of SQL Performance Analyzer Using SQL Performance Analyzer Review Checklist: SQL Performance Analyzer SQL Plan Management SQL Plan Baseline Architecture Set up a SQL Plan Baseline Using SQL Plan Baseline Review Checklist: SQL Plan Management Automatic SQL Tuning Set up and Modify Automatic SQL Tuning Interpret Reports Generated by Automatic SQL Tuning Review Checklist: Automatic SQL Tuning Test Taking Strategies