Tag Archives: Configuration

Certification Spotlight: Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration; what the heck does that cert mean?

So, when you are looking at hiring or being hired in you will always hear about certifications, but you want a good one.  Great, let’s talk about some!

Which next? Well, let’s hit one of the odd-ball specialty certifications by Microsoft.  The test is 070-0158. Sounds really engaging doesn’t it? Microsoft test 070-0158 or even 70-158 as some people will write it.  OK, no, the test number just sounds lame… but what does it get you? How about adding “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration” to you resume?  Um, er, what does that mean?  I mean seriously, does anyone care or understand?  And is it a title or what?

So first let’s talk about what an MCTS is.  Microsoft Certified Technology Specialist (MCTS) certifications are designed to validate candidates’ skills at using, planning, deploying and troubleshooting a specific Microsoft technology. They are also sometimes also used as stepping blocks for the Microsoft Certified IT Professional (MCITP) or Microsoft Certified Professional Developer (MCPD) certification.  With an MCITP or MCTS, it is generally considered to add the MCTS to the end of your name when emailing or signing things electronically.  Such as Joe Black, MCTS.  Often you can list specifics in email signatures afterwards… but in general I don’t.

Now let’s get back to the certification at hand: “Microsoft Certified Technology Specialist (MCTS): Forefront Identity Manager 2010, Configuration”. What is this one?  This is a certification for the product listed, Forefront Identity Manager 2010.  And as such this is an exotic one for people who deal with making Active Directory talk to other LDAP based services utilizing FIM. So the next question is: who is this for?  What does Microsoft say?

“Typical candidates for this exam are Identity Specialists who deploy and manage Forefront Identity Manager (FIM) 2010 in an enterprise environment consisting of more than 5,000 identities with a dynamic lifecycle. These organizations may be geographically and/or organizationally dispersed and may require compliance with extensive regulations. The environment may include multiple applications that consume identities and/or multiple disconnected data sources.”

Don’t you love how Microsoft even has to put in parentheses what the acronyms’ are?  However, more to the point… it really does say what this cert says you can do.  What it doesn’t say is how good you have to be to pass the cert and if the cert is worth anything.  In general with an MCTS the level of proficiency is based in more than a year of actual use of the product with heavy troubleshooting skills. So what this means is that you really know how to implement, troubleshoot… and even explain a product.  Oddly this last one is almost as important as implementation skills on this one.  FIM is just not a heavily used product.  It is however an extremely valuable product because it makes other applications and even environments communicate by translating in a metaverse (yep, real term).

So how does this stand up to other certifications?  An MCTS has a low time in use requirement; however it also is very specialized.  What makes this one different is that it is on an obscure technology that is normally used by people with over ten years in the industry.  So while a low level certification, this actually signifies something that normally sits with and above even an Enterprise Administrator’s MCITP. So on a ten scale, with MCM, MCSM, CCIE and JNCIE at the top as a ten, and Microsoft Technology Associate (MTA), Configuration and CCENT at the low end as a 1, how would I rate it?  Alone I would rate it a 5.  It connected to MCITP: Enterprise Administrator, I rate it a 7.  It is a major name and brings out a lot of conversation.  It is also shows significant skills and determination, as well as longevity in the field.

One caveat as always: remember when discussing certs.  Certs do not equal experience.  Certs validate experience.

What do you think?  And what certification would you like me to take a look at and grade next week?

Active Directory: Wait, you relocate the data stores, moving the NTDS Database, Sysvol and Logs from default? Why?

When you start building domain controllers, one of the simple ideas people bring up is that you always leave the Active Directory data (NTDS database, Sysvol and logs; also known as directory data) where the default in the windows directory.  The idea is they are tucked away and difficult to stumble across accidentally and start playing around with them.  Others simply say: it is where they belong.

I have been at this for so long that I hadn’t really thought about it till I received an email asking why I relocated the data stores in my blog post: A Visual Step by Step: Windows Server 2012, Active Directory 2012, time to build your first forest!

Well, it is probably obvious by now, that I disagree with the popular sentiment.

One of the problems is that most people confuse the Active Directory Domain Services role (making the server a Domain Controller) with the server. The reality is that the Active Directory Domain Services role is simply that: a role.  It is a role that when doing work in your lab, or troubleshooting and restoring your enterprise systems you need to be able to easily backup or even copy everything related to Active Directory.  Why hide it in the Windows directory with thousands of other files and folders?

When you isolate these folders and files into a single root level directory (I like C:\ADDS) you gain one directory to manage.  So it is one directory to manage.  One directory to isolate from antivirus; yes, you have to avoid the NTDS Database, Sysvol and Logs from anti-virus scanning (if you even put anti-virus on your domain controllers… another topic to discuss at a later date). It also allows you to easily copy everything to do with Active Directory with the right click of a mouse or a simple backup command (to get everything).  This is awesome when troubleshooting things like Journal Wrap or doing restoration of login scripts or even Active Directory itself.  It is a life saver for a quick directory restore operation.

The idea here is to make your management of Active Directory simpler.  Now comes some neat things you can do if you have additional physical volumes to move these files to.

In a large environment, placing the directory data (Sysvol, NTDS, Logs) on its own NTFS partition reduces disk I/O.  This can reduce some chances of error, such as FRS just not keeping up with changes.  Additionally, reducing disk I/O allows the Active Directory Domain Services server more efficiently as well.  This can be vital for an enterprise PDC Emulator.  More efficient, better I/O adds to the number of client requests that can be processed. From a performance point of view you could use three separate disk arrays. One disk array for your boot partition, one disk array for your Active Directory database and the Shared System Volume (SYSVOL) folder and one disk array for your Active Directory log files.

However remember, Active Directory is based on a database.  As such, if you want the absolute best performance possible… separate all three parts of the directory data onto three separate drives.  Granted, this is only done when an enterprise needs extreme responsiveness.  However, this starts to get to be a management headache, as you now have to backup three separate drives. Lets just keep it simple if we can, ok?

What are the negatives? If this is going to be a Domain Controller that is not going to be managed by trained staff… don’t do this.  Some administrators won’t realize that they should look for the directory data.  However, this is a situation where training can fix this.  Additionally, sometimes you may want to use simple step by steps found online… and will need the administrator to adjust the commands on the fly.

Is it doable with the negatives?  Yes.  Do I consider the advantages more valuable than the risks from the negatives? Absolutely.  It keeps things simple for backups, restores and troubleshooting.  You can isolate your directory data and make your life simpler.