Certified Mail: December 2001
Disputing death, deputies of morality, and what's up with the MCSD.
Duel to the Death Disputes
I read “Duel
to the Death” in the October issue and had some problems with Alan
Knowles’ article. Figure 2 shows a logical layout that doesn’t represent
what he discussed. He mentions having root level and child domains, yet
the ad.healthsys.org domain means that it’s a child under healthsys.org.
The picture makes it appear as a root, as it’s raised in height; the lines
meet at the top of domain, indicating they’re all of the same hierarchy.
The words and the picture just don’t correlate. Knowles also mentions
putting each region as its own domain for structuring “additional forest
elements below the first level,” which means child domains. This information
is incorrect; domain admins of child domains by default can’t add child
domains under their domain. That’s a role for the enterprise admin. Yes,
you can make every domain admin an enterprise admin, but that would be
insane and defeat the purpose of the “security boundary” that defines
the domain. This also prevents rogue admins from adding domains to the
forest behind the IT director’s back.
Another suggestion he could have used was to take the BDC offline for
rollback purposes. Because many companies don’t have “extra” BDCs to pull
offline for a few months until everything works fine, I have an effective
procedure. I take a spare hard drive and mirror the BDC, break the mirror,
pull the drive out and put it on a shelf. It’s a lot more cost-effective;
to roll back, you simply replace the drive.
In his “Lessons Learned” sidebar, the author mentioned an issue with
getting DHCP to work after upgrading. DHCP servers don’t come up authorized
when upgrading from NT 4.0. This is mentioned in the Microsoft Press book,
Upgrading NT4.0 to 2000.
—Mark Mancini, MCSE+I, CCA, CCNA, Master CIW, CNE
Acworth, Georgia
[email protected]
It seems that some important points in the article were missed.
I’m happy to cover these issues. First, I didn’t mention the terms “child
domain” nor “root level” in the article. The diagram represents exactly
the discussion. The use of the term “root domain” was used just as Microsoft
and most others use the term for the first domain in the forest and
the domain that contains the forest FSMO roles of Schema Master and
Domain Naming Master. The diagram only has the ad.heatlhsys.org domain
raised to illustrate that it’s the root domain and the “place holder”
and “apolitical” center—both of which are mentioned clearly in the text
body and in the text under the diagram. Many people are used to seeing
the traditional hierarchical root-level/child-level diagrams, but in
our case the more unique “peer-level” structure made the most technical
and political (which shouldn’t be underestimated) sense. This “peer”
structure was boldly labeled on the diagram. These aren’t only domains,
but each is a separate tree as indicated by the use of the lines connecting
from the top (bottom for domains only) of each triangle in the diagram.
(Some may now argue that these aren’t separate trees because they occupy
a contiguous DNS namespace. But when each region installs the first
DC, they choose “new tree in existing forest,” so these are actually
separate trees with the same DNS namespace.)
Second, each region is responsible for a tree. I didn’t state anything
about the regional administrators being domain admins, nor did I say
anything about making all domain admins members of the enterprise admins
group. However, our enterprise admins group membership is made up of
at least one person from each region (usually the same person who handles
the MS-DNS/WINS). This is part of the discussion that took two days,
mentioned at the beginning of the article. I won’t debate Microsoft’s
AD domain security model here. There are pros and cons to each design
choice. Our choice was to join a single forest for technical reasons
and with the knowledge of the possible cross-regional adverse effects.
All regions will have some input on the forest-wide and schema decisions,
and each has technical representation with a member of the enterprise
admins group.
Third, the BDC taken offline that we used was an old, out-of-warranty,
low-end server. The idea was to introduce a “clean” server as a BDC
and then take it offline. All of our production BDCs also serve some
other function, so the reader’s drive-swapping idea wouldn’t have worked
as cleanly for us. After a couple of weeks, it became obvious that there’d
be no turning back because so many users had been added and changes
made. This is a very short-term insurance policy.
Last, I think the reader missed the point of the comment about the
non-working DHCP server. This was perhaps not the best example, but
the point has nothing to do with the DHCP server itself. We needed to
anticipate some problems and use these as opportunities to find a solution,
not just resort to the blackout plan. By the way, an upgraded DHCP won’t
come up authorized, but it’ll still work until the DHCP Admin tool is
used to connect to that server after the upgrade! At least this has
been our experience; perhaps some manuals state something else, but
I’m always interested in what others have found.
—Alan Knowles
No Time to be a Morality Cop
Regarding Dian Schaffhauser’s column, “The
Yuck Factor,” in the October issue, I don’t think the government has
any idea what a day in the life of a computer person is like. I’m so busy
with so many other fires, I may look at the Web filter for maybe 10 minutes
every other day. To sit and monitor employees doesn’t make sense. What
are those people in South Carolina thinking? Who am I to be a morality
policeman? What extra anything would I get for my services? There aren’t
enough hours in the day for me to do everything everyone needs done immediately.
When I became the Web security officer, I was upset about what I found
on other employees’ computers. I tried to change that, but the management
at this huge medical enterprise (with religious overtones) took the fight
out of me. Now I just make sure the server doesn’t crash.
—Michael Rife, MCSE, CCNA
An MCSD Course
I’m currently studying for my MCSD and was wondering about a few things.
First, how long will the certification be valid with the .NET versions
coming out? Second, are there .NET (VB.NET, to be exact) certifications
out there already (even beta tests)? Finally, is it worth studying for
the present MCSD tests or should I just waiting for the .NET tests to
be released?
—Damone Autry
Las Vegas, Nevada
[email protected]
We don’t know yet what Microsoft plans regarding retirement of the
current MCSD exams. As it hasn’t announced retirement dates for those
tests, we can guess that it’ll keep it around for at least a couple
of years (until the post-.NET exams come out). Regarding availability
of .NET exams, nothing out yet. We expect to start seeing those in the
first quarter of 2002. When it comes to what tests to go after, it makes
sense to test on what you’ve been working with. If it’s the current
revision of Visual Basic, for instance, then tackle the current set
of tests for VB. You’ll be able to mix and match exams between the current
tests and the .NET editions of the tests. That means either generation
of exams will work for you to achieve your MCSD.
Unqualified Interviewers
Greg Neilson’s article on interviewing in “Professionally
Speaking,” in the September issue, hit the nail on the head. I recently
had an interview. The person interviewing me wasn’t prepared to give me
a technical interview. He asked me vague questions about ODBC errors,
gave me scenario questions about a network problem that didn’t make sense,
and so on.
While I was trying to answer his question, he interrupted me to change
the question. I’ve been a certified engineer in this field for several
years and it’s just crazy that the people you’re trying to impress aren’t
prepared themselves.
—Earl Brown, MCP+I
Jersey City, New Jersey
[email protected]
Thanks for your comments. I’m glad you enjoyed the article. One
of the tips I picked up on my interviewing course that I didn’t have
room to mention was that if an interviewee spends a lot of space in
their resume describing a project, then this is clearly something they’re
very proud of and will be wanting to talk about in an interview. Even
if it appears at first that this project may not be closely related
to the position you’re hiring for, you might learn some things of interest
about the interviewee by discussing that project.
—Greg Neilson
Control Your Installations
I have an issue with a statement made in Roberta Bragg's column, "Risky
Business," in the September issue. In item three of the "Incoming Wounded"
section, Roberta states, "IIS is installed by default." While this is
true if you allow the installation routines to choose the services/features
for you, what system administrator worth his or her salt allows this behavior?
Windows in general and Windows 2000 (and XP) especially allow an incredible
amount of control over the installation and configuration of Windows—not
only after, but during installation. Yes, there are those that just let
the setup make up their minds for them, but to them I say, "You get what
you don't ask for."
—Jim Harrison, MCP(2K), A+, Network+, PCG
Redmond, Washington
[email protected]
I agree 100 percent. An admin should know to uncheck that box. However,
apparently, a lot of them don't. (Consider Code Red.) Indeed, it's the
"default configuration," just like the fax service, Notepad, WordPad,
pinball games, and so on, all of which there really is no need for on
a server. In fact, proper training and proper vetting of admins will
reduce the risk of running any operating system.
OK, challenge time: How many of you out there strip Win2K or Windows
NT every time you install it? I don't just mean unchecking IIS, but
also removing extraneous services, utilities and games; disabling services
that aren't needed but can't easily be removed (like Dfs on a server
where it won't be used); removing unnecessary certificates from enterprise
trusts; hardening with security templates, and so on? I'm assuming the
readership here has a higher concentration of admins that do some of
this, but I'm willing to bet a lot of you don't go very far down this
road. Let me know what you do at installation!
—Roberta Bragg
[email protected]
Frustration Down Under?
In Australia on January 2001 there were 10,000-plus MCSEs. In August 2001,
there were only 236 Windows 2000 MCSEs! Do you think the Aussies are sending
a message that Microsoft has mucked up the program?
—Ron Dale
[email protected]
About Those New Certifications
I think the decision to introduce a "middle" certification (between MCP
and MCSE) is a mistake. Two were plenty, with an introductory one (MCP)
and an advanced one (MCSE). This will only flood the market with various
certifications, making it difficult to distinguish between them all, ultimately
reducing the worth of the highest level.
This program is on the way down. They should never retire certifications,
just give them new titles; in other words, you could be an NT 4.0 MCSE
forever and become a Windows 2000 MCSE by taking some refresher tests.
This would make for a better program and better participants. What Microsoft
is going to be left with is very few true Win2K MCSEs, which will ultimately
reduce the quantity of deployments of their software.
—Russel G. Hodge
Niceville, Florida
[email protected]
I don't know what these new in-between MCP and MCSE certs are called,
but having one (not two) in between seems like a good idea, especially
since the difference between the MCP and MCSE titles is so great. You
could pass six exams and still be an MCP! Do you know what the new certs
are going to be called, by chance?
—David Jackson
Tampa, Florida
[email protected]
For more details, more details, read "MCSA
Gets New Exam" in this month's News.
MCP Simply Won't Do
The reason I have an "all or nothing" approach to obtaining my Windows
2000 MCSE by the end of the year is twofold. First, MCSE is the certification
mentioned in the want ads, not MCP. Second, the NT 4.0 MCP certs I obtained
in 2000 weren't worth the effort of noting on my resume.
These hard-won certifications have increased neither the quantity of
my interviews, nor the number of full-time permanent IT employment offers,
which as of this date stands at zero. Based upon this performance by the
IT industry and human resources professionals employed therein, I can't
help but conclude that "just a couple of Win2K certs" will be treated
any differently.
Since I've invested one year and $6,000 in a year-long instructor-led
NT/Win2K certification course, I'm forced to recoup this investment somehow.
The only somehow I can see is by obtaining my MCSE certification and getting
a high-paying job in the IT industry thereafter.
—Loel H. Larzelere, MCP
Grove City, Ohio
[email protected]
Twenty-five Tests and Counting
I've just passed my 25th Microsoft exam (70-227) and I was wondering where
I stand in the certification stakes. Who has passed the largest number
of exams, and how many have they passed?
—Paul Eddington
Perth, Western Australia
[email protected]