DHCP (Dynamic Host Configuration Protocol)

DHCP is used to automatically assign IP addresses. The addresses will be leased for a specified period of time (default 8 days). The benefits of DHCP are that you don't have to keep a database of addresses. Also it takes away the likelihood of typing numbers in wrong. 

The lease process:
Request - The client sends out a broadcast to its entire subnet looking for any DHCP server. The MAC and Computer name are part of this request.
Offer - All DHCP servers on the subnet will offer an address to the client.
Accept - The DHCP client broadcast back to the first DHCP server a request to accept the offer.
Acknowledge - The DHCP server broadcasts back an acknowledgement (DHCPACK) that the lease was successful.

Authorization - In Windows 2000, DHCP servers need to be authorized before they can send out leases. This prevents an unauthorized DHCP server from appearing on the network and handing out leases. Only Enterprise Admins can authorize DHCP servers.

Scopes - A scope is a group of IP addresses that your DHCP server will be able to hand out.

Reservations - You can reserve a specific IP address for a client. You will need the MAC address of the client.

DHCP options - Along with an IP address, DHCP can hand out several other pieces of information, such as:
Subnet Mask
Domain Name
Default Gateway
DNS server
WINS server
NetBIOS node type

Option Classes - DHCP option classes allow you to give specific options to certain groups of computers. There are 2 types of option classes, Vendor-defined and User-defined.
Vendor-defined - allows you to set options based on the operating system.
User-defined - identify by client type.  You can use this to do things like set a short lease for dialup connections.

DHCP Relay Agent - used in a routed environment, the relay agent captures DHCP requests and forwards them to a DHCP server on another subnet.

DNS (Domain Name System)

DNS is used to resolve fully qualified domain names (FQDN) to IP addresses. i.e. CERTguide.com resolves to 24.128.102.7

Windows 2000 uses DNS as its primary means of resolution including locating domain controllers.

Query Types
Iterative Query - If the DNS server does not have the answer, it will tell you that it can't help you.
Recursive Query - If the DNS server does not have the answer, it will go to another DNS server that does.

Lookup Zone Files
Forward Lookup Zone - resolves hostname to IP address
Reverse Lookup Zone - resolves IP address to hostname.

Host File - manually updated text file that contains IP address to host name combinations. This is how it was done before DNS.

Zone Types
DNS is divided into zones so you can be responsible only for your section or zone
Standard Primary - contains read/write copy of zone file stored in a text file.
Standard Secondary - contains read only copy of zone file stored in a text file. Changes are made on the primary and replicated to the secondary.
Active Directory Integrated - stores zone info in Active Directory. Changes update with Active directory replication automatically.

DDNS (Dynamic DNS) - Windows 2000 includes DNS that is dynamically updated to prevent having to manually keep the DNS database current. When a Windows 2000 client boots up, it will send its info straight to the DNS server to be added. Windows9.x and NT clients can not pass their information directly to the DNS server so the DHCP server forwards their information along to allow them to take advantage of the Dynamic DNS. Dynamic updates are configured at the zone level so you can choose to update one or more zones manually if you choose.

Caching only servers - look up queries for clients and cache the information so the clients don't have to keep going to the server. They are not authoritative for anything.  

WINS (Windows Internet Name Service)

WINS is responsible for resolving NetBIOS names to IP addresses. When a WINS client boots up it announces itself to the WINS server. The WINS server stores the name and IP of the client in the database to hand out on future requests. This enables you to connect to a server named Appserver by name instead of having to remember Appserver’s IP address. The WINS database is dynamic.

WINS is not needed in a purely Windows 2000 environment and is strictly there for backward compatibility.

WINS servers are required to have static IP addresses.

Name Resolution Nodes
B-Node (broadcast) - uses broadcasts to resolve names (not recommended for larger networks)
P-Node (peer to peer) - uses WINS only, no broadcasts.  No WINS server, no resolution.
M-Node (mixed) - Broadcast first, then WINS. (not recommended as you want to minimize broadcasts)
H-Node (hybrid) - uses WINS first, then broadcast.  (recommended as it cuts down broadcasts by trying WINS first but will resort to broadcast as last resort.)

These node types can be assigned by DHCP or edited in the registry at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Nodetype
The values are:
B-node - 1
P-node - 2
M-node - 4
H-node - 8

LMhosts file - text file that you manually update that holds NetBIOS name and IP combinations.

Non-WINS clients 
DNS Integration - WINS can be integrated with DNS so non-WINS clients can query the DNS server and the DNS server will get the answer from WINS.
Static Mappings - You can manually add mappings for non-windows clients to your WINS database.  This will allow your WINS enabled clients to query the WINS server for things like UNIX boxes.
WINS Proxy - listens for broadcast from non-WINS clients, captures them and gets the info from the WINS server, then returns info to non-WINS client.

WINS Replication - You should have multiple WINS servers for fault tolerance.  These servers can be set up to replicate the data to each other.  WINS replicates changes only instead of the whole database.
Push Partner - WINS will replicate after a certain number of changes to the database.  
Pull Partner - WINS will replicate at a certain time period regardless of the number of changes.
Push/Pull Partner - WINS will replicate at a certain number of changes or at a specified time interval regardless of the number of changes.

PKI ( Public Key Infrastructure)

Public Key Encryption - Public Key Encryption uses a 2 key method to encrypt data.
Public Key is given out to any user wishing to communicate
Private Key is kept for decoding the public key transmission.
ex.  I send you my public key, you encrypt data with my public key and send it to me, only I have the matching private key to decrypt the data.  If the data is intercepted, it is unreadable.
Public Key Authentication - Public Key Encryption uses the same 2 key method for authentication.
This is also known as digital signatures.  Digital signatures are very common when visiting websites.
Public Key  is sent out to user to authenticate sender.
Private key is used to encrypt data to be sent.
ex. I send you my public key so you can decrypt data that is encrypted with my private key.  I encrypt data using my private key.  You decrypt the data with my public key thus verifying that I am who I claim to be.
 CA (Certificate Authority) - A Certificate Authority is responsible for assigning the keys for encryption, decryption and authentication.  There are 2 types of CA's.  Enterprise and Stand-Alone.  Each of these types can have a root CA and Subordinate CA's. The following table shows the types and their characteristics:

IPSec (Internet Protocol Security)

IPSec is a method of encrypting IP packets.  If packets are captured while going across the network, they will not be able to be read.  In Windows 2000, IPSec is enforced by setting a policy in the IP Security Policy Management snap-in to the Management Console.  

Predefined Policies.
Client - A computer will only respond using IPSec if another computer requests it.
Server - A computer will always respond using IPSec but will accept unsecured traffic.
Secure Server - A computer will not accept any unsecured traffic and will only send out secured traffic.

IPSec can be used in 2 modes, transport and tunnel
Transport Mode - This is the default mode for IPSec.  It provides secured communication between computers running Windows 2000.
Tunnel Mode - Enforces IPSec policies for all Internet traffic.  Supports most legacy Operating Systems.  Windows 2000 Routing and Remote Access is necessary on machines at each end of the tunnel.

Encryption Schemes - 
Authentication Encryption Schemes include SHA and MD5
SHA (Secure Hash Algorithm) - uses 160-bit encryption.  High performance overhead.
MD5 (Message Digest 5) - Most widely used.  uses 128-bit encryption and has low overhead. 

Packet Encryption choices include 56-bit DES, 40-bit DES and 3DES
56-bit DES (56-bit Data Encryption Standard) - used for most exported applications and E-mail.  Low security using a single 56-bit key
40-bit DES (40-bit Data Encryption Standard) - used for exports to France.  Low security using a single 40-bit key.
3DES (Triple Data Encryption Standard) - Most secure using three 56-bit keys.  Processes data 3 times using a different key each time.  High Processor overhead.

RAS (Remote Access Service)

Windows 2000 supports several remote access protocols including:
PPP (Point to Point Protocol) - most common Remote Access protocol.  Allows for multivendor environments.
SLIP Serial Line Internet Protocol) - not supported on the server, only the client.  Mostly used for telnet.
Microsoft RAS - Clients must use NetBEUI.  Server acts as gateway to connect to NetBEUI, TCP/IP, or IPX/SPX.
ARAP (AppleTalk Remote Access Protocol) - A windows 2000 server running ARAP can accept connections from MAC clients.

Windows 2000 RAS supports several LAN protocols including:
TCP/IP
NetBEUI
NWlink
AppleTalk

Permissions can be set to allow access, deny access or control through Remote Access Policy. (control through RAS policy only available in native mode)

Caller ID can be enabled to check for a specific number before accepting connection. (only available in native mode)

RAS can be configured to call user back at a specific number to complete connection.

RAS can be set to assign a static IP address if a client requires a specific IP.

Windows 2000 RAS supports multilink in which several connections can be combined to increase bandwidth.  Both client and server need to have multilink enabled.

BAP (bandwidth Allocation Protocol) - works with multilink to provide bandwidth on demand by adding or dropping links as needed.

Remote Access Authentication Protocols
PAP (Password Authentication Protocol) - uses clear text passwords. provides little security.
SPAP - (Shiva Password Authentication Protocol) - more secure than PAP. use to connect to Shiva LANRover to Windows 2000. Medium Security.
CHAP - (Challenge Handshake Authentication Protocol) - uses the industry standard MD5 1-way encryption scheme to encrypt the response.  Highly Secure.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)- 1-way encrypted password.  This is enabled by default on a windows 2000 server running RAS.  Highly Secure.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol v2)- Strong encryption.  Windows 2000 clients use this by default for dialup.  Windows 2000,NT4 and Win98 clients use this by default for VPN.  Highly Secure.
EAP (Extensible Authentication Protocol) - Client and server negotiate the Authentication method to include MD5 username and password encryption, smart-cards, token cards, retina or fingerprint scanners and other third party authentication technologies.

Remote Access Data Encryption Protocols
MPPE (Microsoft Point to Point Encryption) - Encrypts data moving between a PPTP connection and a VPN server.  Can use 128-bit, 56-bit or 40-bit encryption.
IPSec (Internet Protocol Security) - see above

IP Addressing - RAS can hand out IP addresses using 3 methods:
Static IP address - IP address is configured on the client.  Not recommended because of the administration.
IP address Range - assign a range of addressees to the RAS server to be able to give out.
DHCP addressing - RAS will get addresses for its clients from a DHCP server.  Highly recommended as there is only one pool of IP addresses to maintain.

Remote Access Policies - RAS Policies consist of Conditions, permissions and profile.
Conditions - Conditions include things like time, user groups, IP addresses, caller ID's that must be matched for client to connect.
Permissions - RAS policy permissions work in conjunction with a user's dial-in permissions in Active Directory.  Dial-n permissions will override RAS Policy permissions.  i.e. The sales group is a granted remote access through a policy from 9:00 to 5:00.  John, a member of the sales group is given 24 hour access in active directory.  John will have 24 hour access.
Profiles - This contains settings such as time limits, authentication and encryption protocols.

IAS (Internet Authentication Service) - IAS in conjunction with Routing and Remote Access Service provide support for RADIUS (Remote Authentication Dial-in User Service).  RADIUS is used for authentication of users outside of the internal network.  IAS also allows for tracking of connections for things like usage for billing purposes and auditing for security purposes.

VPN (Virtual Private Networks)

A VPN is a tunnel between two systems. The data that passes between the systems is encrypted. This allows for secure communication across a public network such as the Internet.  
VPN's use either PPTP or L2TP encryption.
PPTP (point to point tunneling protocol) - only works on IP network. Uses built-in PPP encryption
L2TP (Layer 2 Tunneling Protocol)- works on IP, Frame Relay, X.25 or ATM.  Uses IPSec encryption

Using Windows 2000 as a Router 

A multihomed (multiple network cards) Windows 2000 server can be used as a router.  A router forwards IP packets between network segments.  This functionality is greatly increased over NT4.0.
Routing Table - A routing table contains entries for all of the networks that the router knows about and how to get a packet there.  Entries are put into this table by default for networks that the router is directly connected to.  Other networks have to be added to the routing table for packets to be sent there.  Type 'route print' from the command prompt to see your system's routing table.
Static Routing - You manually add entries to your routing table.  If a route changes, the table must be updated.  This is OK for small networks, but is not recommended for large networks because of the administration.
Demand Dial Routing- A Windows 2000 router can be configured to dial out to another router across the public phone network.  This connection will only be made when there is a request to send information across that line.  One nice feature is that you can restrict it to certain times or protocols so if you only want a connection to be made for you daily file transfer, you can restrict the demand-dial to only dial up for FTP.
RIP (Routing Information Protocol)- dynamically updates routers with routing change info.  Uses routing table.   RIP v1 uses broadcast to send its updates while RIP v2 uses multicast.  Easy to setup and manage but not very scalable as it causes a lot of traffic with updates..
OSPF (Open Shortest Path First) - dynamically updates routers with routing change info. Uses link-state database.  Complex to setup and manage but will work nice in an enterprise class network as it only announces changes to its routes as opposed to announcing all routes.
Packet Filtering - Filters can be put on to block certain types of traffic from certain interfaces.  ex. You can set a filter on a web server to only accept traffic on port 80(default http port)

Configure Internet Access for your Network

Using Windows 2000 as a router can allow your network to connect to the Internet.  The problem with this is that each client will need an live IP address to connect.  Here are some other options that Windows 2000 offers to avoid each client needing a registered IP address.

NAT (Network Address Translation) - Windows 2000 includes NAT which allows you to use a private IP scheme on your internal network yet still connect to the Internet.  Many computers can access the Internet using a single registered IP.
The server running NAT will receive the requests from the internal client.  The NAT server will replace the header info with its own and send the packet to the Internet and store the information about who made the request in a mapping table. When the NAT server gets the response, it sends it back to the client that had the original request by obtaining its info from the mapping table.

Internet Connection Sharing - Internet Connection Sharing is similar t NAT but is not very flexible.  It is good for a very small network or a home connection.  It automatically assigns IP addresses from a predefined IP scheme.

Proxy Server - Proxy Server is similar to NAT in that it fulfills requests for the clients.  However Proxy uses caching so that multiple requests for the same information do not have to keep going out to the Internet.  Also Proxy Server analyzes packets so you can set security restrictions such as protocol, user, time, Port #, domain name or IP address.