| STUDY
GUIDE
Exam 70-216
Implementing and Administering a Microsoft
Windows 2000 Network Infrastructure
DNS
in a Windows 2000 Network Infrastructure
DNS
Overview
DNS is the name service for Internet addresses used to translate
friendly domain names to numeric IP addresses. Microsoft’s web
page, http://www.microsoft.com translates to 207.46.130.149. A host
computer queries the name of a computer and a domain name server
cross-references the name to an IP address.
Windows 2000 clients use DNS for name
resolution and locating domain controllers for logon. In the DNS,
the clients are resolvers and the servers are name servers. DNS uses
three components: resolvers, name servers, and the domain name
space. A resolver sends queries to a name server. The name server
returns the requested information, a pointer to another name server,
or a failure message, if the request cannot be satisfied.
Resolvers
Resolvers pass name requests between applications and name servers.
The name request contains a query, such as the IP address of a Web
site. The resolver can be built into the application or may be
running on the host computer as a library routine.
Name Servers
A name server contains address information about other computers on
the network. Name servers are grouped into domains. The list of
records on each server for a namespace in the domain is called a
zone. Access to each computer in a given group is controlled by the
same server. If the name server is not able to resolve the request,
it can forward the request to another name server.
Root-Level Domains
Domains define levels of authority in a hierarchical structure. The
top of the hierarchy is called the root domain. References to the
root domain are expressed by a period (.).
Top-Level Domains
Top-Level Domains include the following:
Identifier
Organization
arpa Reverse DNS
com Commercial organizations
edu Educational institutions and universities
gov Nonmilitary government organizations
mil Military government organizations
net Networks (the backbone of the Internet)
num Phone numbers
org Non-profit organizations
xx Two-letter country code
Second-Level
Domains Second-level domains contain hosts and other domains,
called subdomains.
Host Names
The domain name is used with the host name to create a fully
qualified domain name (FQDN). The FQDN is the host name followed by
a period (.), followed by the domain name.
Zones
A zone is the administrative unit for DNS. It is a subtree of the
DNS database that is administered as a single, separate entity. It
can consist of a single domain or a domain with subdomains. The
lower-level subdomains of a zone can also be split into separate
zones.
Name Server Roles
Two roles of DNS servers for each standard zone – primary and
secondary.
The existence of both servers provides
for database redundancy and a level of fault tolerance.
Primary Name Servers
Primary name servers get the data for their zones from the local DNS
database files.
When a change is made to the zone data
the change must be made on the primary DNS server so that the new
information is entered in the local zone file.
Secondary Name Servers
Secondary name servers get their zone data file from the primary DNS
server that is authoritative for that zone. Zone transfer is the
process of the primary DNS server sending a copy of the zone file to
the secondary DNS server. Secondary servers allow for redundancy,
quicker access for remote locations, and load balancing. Primary or
secondary designation is defined at a zone level because information
for each zone is stored in separate files. A particular name server
may be a primary name server for certain zones and a secondary name
server for other zones.
Caching-Only Servers
Caching-only servers are DNS name servers that perform queries,
cache the answers, and return the results. No zone data is kept
locally. They contain only information that they have cached while
resolving queries. Less traffic is generated between servers because
the server is not doing a zone transfer. Caching-only servers can be
used if you have a slow connection between sites.
DHCP in a Windows 2000 Network
Infrastructure DHCP
Overview
DHCP centralizes and manages the allocation of TCP/IP configuration
information by automatically assigning IP addresses to computers
configured to use DHCP. Each time a DHCP client starts, it
requests IP address information from a DHCP server, including the IP
address, the subnet mask, and optional values. The optional values
may include a default gateway address, Domain Name System (DNS)
address, and Windows Internet Name Service (WINS) server address.
When a DHCP server receives a request, it selects IP addressing
information from a pool of addresses defined in its database and
offers it to the DHCP client. If the client accepts the offer, the
IP addressing information is leased to the client for a specified
period of time. If there is no available IP addressing information
in the pool to lease to a client, the client cannot initialize
TCP/IP.
Windows 2000-based clients can
automatically configure an IP address and subnet mask if a DHCP
server is unavailable at system start time through Automatic Private
IP Addressing (APIPA). The Windows 2000 DHCP client service goes
through the following process to autoconfigure the client:
• The
DHCP client tries to locate a DHCP server and obtain an address.
• If a
DHCP server does not respond or cannot be found, the DHCP client
autoconfigures its IP address and subnet mask using a selected
address from reserved Class B network, 169.254.0.0, with the subnet
mask 255.255.0.0.
• The
DHCP client then tests for address conflicts. If a conflict is
found, the client will retry autoconfiguration for up to 10
addresses.
•
Once the DHCP client succeeds in selecting an address, it configures
its network interface with the IP address. The client continues to
check for a DHCP server every 5 minutes. If a DHCP server is later
found, the client will use an address offered by the DHCP server.
Installing
and Configuring a DHCP Server
The DHCP Server service must be running to communicate with DHCP
clients. Once installed, several options must be configured:
• Install the Microsoft DHCP Server service.
• Authorize the DHCP server.
• Configure a scope or pool of valid IP addresses before a DHCP
server can lease IP addresses to DHCP clients.
• Configure Global scope and client scope options for a particular
DHCP client.
You should
manually configure the DHCP server computer to use a static IP
address. The DHCP server cannot be a DHCP client. It must have a
static IP address, subnet mask, and default gateway address.
Installing
DHCP Server Services
1. Clicking Start, Settings, and Control Panel.
2. Double-click Add/Remove Programs, then click Add/Remove Windows
Components.
3. Click Networking Services.
4. Click Details.
5. Under Subcomponents of Networking Services, select Dynamic Host
Configuration Protocol (DHCP), click OK, then click Next.
6. Type the full path to the Windows 2000 distribution files and
click Continue. Required files will be copied to your hard disk.
7. Click Finish to close the Windows Components Wizard.
Authorizing
a DHCP Server
An unauthorized DHCP server may either lease incorrect IP addresses
to clients or negatively acknowledging DHCP clients. Clients that
obtain a configuration lease from the unauthorized server can fail
to locate valid domain controllers, preventing clients from
successfully logging on to the network. For the directory
authorization process to work properly, it is necessary that the
first DHCP server introduced onto your network participate in the
Active Directory service. The server must be installed as either a
domain controller or a member server. The authorization process for
DHCP server computers in Active Directory depends on the installed
role of the server on your network; domain controller, member
server, or stand-alone server. If Active Directory is deployed, all
computers operating as DHCP servers must be either domain
controllers or domain member servers.
Authorizing
as a DHCP Server in Active Directory
You must log on to the network using an account that has membership
in the Enterprise Administrators group that allows you Full control
rights to the NetServices container object as it is stored in the
Enterprise Root of the Active Directory service.
1. Install
the DHCP service on this computer (if necessary).
2. Click Start, Programs, Administrative Tools, then click DHCP.
3. On the Action menu, click Manage Authorized Servers.
4. Click Authorize.
5. When prompted, type the name or IP address of the DHCP server to
be authorized, then click OK.
Creating
a DHCP Scope
A scope is a pool of valid IP addresses available for lease to DHCP
clients. It must be created before a DHCP server can lease an
address to DHCP clients. One scope for every DHCP server must be
created. Static IP addresses must be excluded from the scope. To
centralize administration and to assign IP addresses specific to a
subnet, create multiple scopes on a DHCP server. Only one scope can
be assigned to a specific subnet. Because DHCP servers do not share
scope information, you must ensure that the same IP addresses do not
exist in more than one scope to prevent duplicate IP addressing.
Creating
a New Scope
1. Click Start, Programs, Administrative Tools, then click DHCP.
2. Click the applicable DHCP server.
3. On the Action menu, click New Scope.
4. Follow the instructions in the New Scope Wizard. After creating a
new scope, you need to activate the scope for use or for assigning
scope options.
Configuring
DHCP for DNS Integration
A Windows 2000 DHCP server can register with a DNS server and update
pointer (PTR) and address (A) resource records (RRs) on behalf of
its DHCP-enabled clients using the Dynamic DNS update protocol. DHCP
option code (Option Code 81) enables the return of a client’s FQDN
to the DHCP server. The DHCP server can dynamically update DNS to
modify an individual computer’s RRs with a DNS server using the
dynamic update protocol.
Dynamic
Updates for Non-Supported Dynamic DNS Updates
1. Click Start, Programs, Administrative Tools, then click DNS.
2. Click the applicable zone.
3. On the Action menu, click Properties.
4. In the DNS Property tab, select Enable Updates For DNS Clients
That Do Not Support Dynamic Update.
5. Select Only Secure Updates If Your Zone Type Is Active
Directory-Integrated.
Troubleshooting
DHCP Clients
Most DHCP-related problems start as a failed IP configuration at a
client. If the client is not the clause, check the system event log
and DHCP server audit logs. These logs contain the source of the
service failure or shutdown. Use the IPConfig TCP/IP utility to get
information about the configured TCP/IP parameters on local or
remote computers on the network.
DHCP
Errors
Symptom Solution
Invalid IP address configuration Possible network hardware failure
or the DHCP server is unavailable.
Verify the client
computer has a valid, functioning network connection.
Autoconfiguration problems on the
current network - Use the ping command to test connectivity.
Manually renew the client lease. If the client hardware appears to
be functioning properly, ping the DHCP server from another computer
on the same network. Release or renew the client’s address lease.
Missing configuration details - DHCP
server is not configured to distribute options or the client does
not support the options distributed by the server. Verify that the
most commonly used and supported options have been configured at
either the server, scope, client, or class level of option
assignment.
Check the DHCP option settings. Check
to see if the DHCP server is configured with an incorrect DHCP
router option (Option Code 3).
The IP address of the DHCP server was
changed Make sure that the DHCP server IP address falls in the same
network range as the scope it is servicing.
DHCP clients un- A DHCP server can
provide IP addresses to client computers on able to receive an
address from the server.
remote multiple subnets only if the
router that separates them can act as a DHCP relay agent. Configure
a BOOTP/DHCP relay agent on the client subnet. The relay agent can
be located on the router itself or on a Windows 2000 Server computer
running the DHCP Relay service component.
Multiple DHCP servers exist on the
same LAN.
Do not configure multiple DHCP servers
on the same LAN with overlapping scopes. The DHCP service, when
running under Small Business Server, automatically stops when it
detects another DHCP server on the LAN.
Troubleshooting DHCP Servers
Make sure that the DHCP services are running by opening the DHCP
service console to view service status, or by opening Services and
Applications under Computer Manager.
DHCP Relay Agent
A relay agent is a program that relays DHCP/BOOTP messages between
clients and servers on different subnets. For each IP network
segment that contains DHCP clients, either a DHCP server or a
computer acting as a DHCP relay agent is required.
Adding DHCP Relay Agent
1. Click Start, Programs, Administrative Tools, Routing And Remote
Access.
2. Click Server name\IP Routing\General.
3. Right-click General, then click New Routing Protocol.
4. In the Select Routing Protocol dialog box, click DHCP Relay
Agent, then click OK.
Remote Access in a Windows 2000
Network Infrastructure
Creating a Remote Access Policy (RAP)
RAPs are used to define who has remote access to the network and
what the characteristics of that connection will be. Conditions for
accepting or rejecting connections can be based on many different
criteria, such as day and time, group membership, and type of
service. Remote Access Policies are stored locally in the IAS.MDB
file. Policies are created manually on each server. Remote Access
Policies are applied to users in a mixed-mode domain. Control Access
Through Remote Access Policy is not available on mixed-mode domain
controllers. If the user’s permission is Allow Access, the user
still must meet the conditions set forth in a policy before being
allowed to connect.
Creating a New Remote Access Policy
1. Right-click Remote Access Policies using the Routing and Remote
Access Administration Tool, and select New Remote Access Policy.
2. Add a friendly name of “Allow Domain Users”, and then click
Next.
3. Click Add to add a condition.
4. Select Windows-Groups, then click Add.
5. Click Add, select Domain Users, and then click Add. Click OK.
6. Click OK to exit Groups.
7. Click Next, then select Grant Remote Access Permission.
8. Click Next, then click Finish.
Configuring a Remote Access Profile
The profile specifies what kind of access the user will be given if
the conditions match. There are six different tabs that can be used
to configure a profile. The tabs are Dial-in Constraints, IP,
Multilink, Authentication, Encryption, and Advanced.
Dial-In Constraints
Constraints are configured in the Edit Dial-In Profile dialog box,
on the Constraints tab. Possible settings include idle time
disconnect, maximum session time, day and time, phone number, and
media type.
Enabling IP Routing
1. Right-click Properties from the Routing and Remote Access
Manager. Choose enable This Computer as a Router, then click OK.
2. Click Yes at the warning.
Enabling and Configuring a Routing
and Remote Access Server
1. Open the Routing and Remote Access Manager.
2. Right-click the machine name and choose Configure and Enable
Routing and Remote Access.
3. Click Next in the Routing And Remote Access Server Setup Wizard.
4. Select the Network Router radio button on the Common
Configurations page, then click Next.
5. On the Remote Client Protocols page, under Protocols, make sure
that TCP/IP is listed, verify that Yes, All The Required Protocols
are on This List is selected, then click Next.
6. On the Demand Dial Connections page, make sure that No is
specified from You Can Set Up Demand-Dial Routing Connections After
This Wizard Finishes, then click Next.
7. Click Finish.
Updating the Routing Tables
The routing table is a series of entries called routes that contain
information on where the network IDs of the internetwork are
located. The routing table is not exclusive to a router. Hosts (nonrouters)
also have a routing table that is used to determine the optimal
route. There are three types of entries in the routing table;
network route, host route, and default route.
Implementing Demand-Dial Routing
A demand-dial interface is a router interface that will be brought
up on demand based on network traffic. The demand-dial link is only
initiated if the routing table shows that this interface is needed
to reach the IP destination address. Filters can be set to permit or
deny particular source or destination IP addresses, ports or
protocols. Timeof- day restrictions can further control access.
Virtual Private Networks
A VPN is the ability to send data between two computers across an
internetwork in a manner that mimics the properties of a dedicated
private network. VPNs allow users working at home or on the road to
connect securely to a remote corporate server using the routing
infrastructure provided by a public internetwork such as the
Internet.
Routing and Remote Access for DHCP
Integration
Routing and Remote Access uses DHCP to lease addresses in blocks of
10, and stores them in the registry. When a Routing and Remote
Access address pool is configured to use DHCP, no DHCP packets will
go over the wire to the Routing and Remote Access clients. The
network information center (NIC) used to lease these DHCP addresses
is configurable in the user interface if two or more NICs are in the
server. The DHCP leases are released when Routing and Remote Access
is shut down.
DHCP Relay Agent
The Routing and Remote Access client will receive an IP address from
the Routing and Remote Access server, but may use DHCPINFORM packets
to obtain Windows Internet Name Service (WINS) and Domain Name
System (DNS) addresses, domain name, or other DHCP options.
DHCPINFORM messages are used to obtain option information without
getting an IP address.
Configuring a DHCP Relay Agent
1. Right-click General under IP Routing in the Routing and Remote
Access Manager.
2. Select New Routing Protocol.
3. Choose DHCP Relay Agent, then click OK.
4. Highlight DHCP Relay Agent, and then right-click Properties.
Configure the IP addresses of any DHCP server.
5. Click OK to close the dialog box.
6. Right-click the DHCP Relay Agent and choose New Interface.
7. Select Internal, then click OK.
8. Click OK to close the DHCP Relay Agent Internal Properties dialog
box.
Managing and Monitoring Remote
Access
IAS can create log files based on the authentication and accounting
requests received from the NASs. These logs can be used to track
accounting information, such as logon and logoff records, and to
help maintain records for billing purposes. You can specify whether
new logs are started daily, weekly, monthly, or when the log reaches
a specific size. By default, the log files are located in the %systemroot%\
system32\LogFiles folder.
Network Protocols in a Windows
2000 Network Infrastructure
Installing and Configuring TCP/IP
TCP/IP is installed as the default network protocol if a network
adapter is detected when you run Windows 2000 Setup.
Installing TCP/IP
1. Click Start, Settings, Network and Dial-Up Connections.
2. Right-click Local Area Connection and then click Properties.
3. Click Install.
4. Click Protocol and then click Add.
5. Click Internet Protocol (TCP/IP), and then click OK.
6. Click Close.
Configuring TCP/IP
TCP/IP network addressing schemes can include either public or
private addresses.
Devices connected directly to the
Internet require a public IP address. InterNIC assigns public
addresses to Internet Service Providers (ISPs). ISPs assign IP
addresses to organizations when network connectivity is purchased.
IP addresses assigned this way are guaranteed to be unique and are
programmed into Internet routers in order for traffic to reach the
destination host. By configuring private addresses on all the
computers on your private network (or Intranet) you can shield your
internal addresses from the rest of the Internet. Private addresses
are not reachable on the Internet because they are separate from
public addresses, and they do not overlap. You can assign IP
addresses in Windows 2000 dynamically using Dynamic Host
Configuration Protocol (DHCP), address assignment using Automatic
Private IP Addressing or configuring TCP/IP manually.
Dynamic Configuration
Windows 2000 computers will attempt to obtain the TCP/IP
configuration from a DHCP server on your network by default. If a
static TCP/IP configuration is currently implemented on a computer,
you can implement a dynamic TCP/IP configuration.
1. Click Start, Settings, Network And
Dial-Up Connections.
2. Right-click the Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then
click Properties.
4. Click Obtain An IP Address Automatically, and then click OK.
Manual Configuration
Some servers, such as DHCP, DNS, and WINS servers should be assigned
an IP address manually. If you do not have a DHCP server on your
network, you must configure TCP/IP computers manually to use a
static IP address.
Configuring TCP/IP to use Static
Addressing
1. Click Start, Settings, Network and Dial-Up Connections.
2. Right-click Local Area Connection, and then click Properties.
3. On the General tab, click Internet Protocol (TCP/IP), and then
click Properties.
4. Select Use the Following IP Address.
5. Type in an IP, subnet mask, and default gateway address. If your
network has a DNS server, you can set up your computer to use DNS.
Automatic Private IP Address
Assignment
Automatic Private IP Addressing automates the process of assigning
an unused IP address when DHCP is not available. The Automatic
Private IP Addressing address is selected from the Microsoft
reserved address block 169.254.0.0, with the subnet mask
255.255.0.0. The assigned IP address is used until a DHCP server is
located.
Testing TCP/IP with IPConfig and
Ping
You can perform basic TCP/IP configuration and connectivity testing
using IPConfig and ping utilities. IPConfig verifies the TCP/IP
configuration parameters on a host, including the IP address, subnet
mask, and default gateway. This can determine whether the
configuration is initialized, or if a duplicate IP address is
configured. The ping utility diagnostic tool tests TCP/IP
configurations and diagnoses connection failures.
Ping uses the Internet Control Message
Protocol (ICMP) Echo Request and Echo Reply messages to determine
whether a particular TCP/IP host is available and functional.
Configuring TCP/IP packet filters
IP packet filtering can be used to trigger security negotiations for
a communication based on the source, destination, and type of IP
traffic. You can define which specific IP and IPX traffic triggers
will be secured, blocked, or allowed to pass through unfiltered.
IP packets can be filtered on the TCP
port number, the UDP port number, and the IP protocol number.
NWLink and Windows 2000
NWLink must be installed if you want to use Gateway Service for
NetWare or Client Services for NetWare to connect to NetWare
servers. Use Client Services for NetWare or Novell Client for
Windows 2000 to log on to a NetWare network from a Windows 2000
Professional-based computer.
Configuring Client Services for
NetWare
When you install Client Services for NetWare on a Windows 2000
Professional, the NWLink IPX/SPX/NetBIOS Compatible Transport
Protocol is automatically installed.
To install Client Services for
NetWare, you need Administrator rights to the computer running
Windows 2000 Professional. Microsoft Unattended Setup Mode can be
used for large deployments of Windows 2000 Professional and Client
Services for Net- Ware.
Installing Client Services for
NetWare
1. Click Start, Settings, Network and Dial-Up Connections.
2. Right-click the Local Area Connection, then click Properties.
3. In the General tab, click Install.
4. In the Select Network Component Type dialog box, click Client,
then click Add.
5. In the Select Network Client dialog box, click Client Services
for NetWare, then click OK.
Installing NWLink
1. Click Start, Settings, Network And Dial-Up Connections.
2. Right-click a Local Area Connection, then click Properties.
3. In the General tab, click Install.
4. In the Select Network Component Type dialog box, click Protocol,
then click Add.
5. In the Select Network Protocol dialog box, click NWLink IPX/SPX/NetBIOS
Compatible Transport Protocol, then click OK.
Configuring NWLink
You must first install the NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol and be a member of the Administrators group.
1. Click Start, Settings, Network And
Dial-Up Connections.
2. Right-click a Local Area Connection, then click Properties.
3. In the General tab, click NWLink IPX/SPX/NetBIOS Compatible
Transport Protocol, then click Properties.
4. In the General tab, type a value for Internal Network Number or
leave this setting at the default value of 00000000.
5. If you want Windows 2000 to automatically select the frame type,
click Auto Frame Type Detection, and then click OK. Skip Steps 6
through 9.
6. To manually set the frame type, click Manual Frame Type
Detection.
7. Click Add.
8. In the Manual Frame Detection dialog box, in Frame Type, click a
frame type.
9. In Network Number, type a network number, then click Add, then
click OK.
Configuring and Troubleshooting
Network Protocol Security
Configuring and Troubleshooting IPSec
IPSec protects IP packets, and provides a defense against network
attacks through the use of cryptography-based protection services,
security protocols, and dynamic key management. IPSec can be used to
filter data packets on a network.
Implementing IPSec
You can view the default IP Security policies in the Group Policy
snap-in to MMC.
The policies are listed under IP
Security Policies on Active Directory: Group Policy Object\Computer
Configuration\Windows Settings\Security Settings\IP Security
Policies on Active Directory. You can also view IPSec policies by
using the IP Security Policy Management snap-in to MMC. Each IPSec
policy is governed by rules that determine when and how the policy
is applied. Right-click a policy and select Properties.
The Rules tab lists the policy rules.
Rules can be further subdivided into filter lists, filter actions,
and additional properties. The default snap-in is started from the
Administrative Tools menu; this allows configuration of the local
computer only. To centrally manage policy for multiple computers,
add the IP Security Management snap-in to an MMC.
Configuring IPSec Policies
There are three predefined policy entries: Client (Respond Only),
Secure Server (Require Security), and Server (Request Security). By
default, none of these policies are enabled.
Respond Only
The Client (Respond Only) policy allows communications in plain text
but will respond to IPSec requests and attempt to negotiate
security. It uses Kerberos V5 for authentication.
Request Security
The Server (Request Security) policy causes the server to attempt to
initiate secure communications for every session. If a client who is
not IPSec-aware initiates a session, it will be allowed.
Require Security
The Secure Server (Require Security) policy requires Kerberos trust
for all IP packets sent from the computer, with the exception of
broadcast, multicast, Resource Reservation Setup Protocol (RSVP),
and ISAKMP packets. This policy does not allow unsecured
communications with clients. Any clients who connect to a server
must be IPSec- aware.
Authentication Methods
Windows 2000 supports three authentication methods:
• Kerberos.
The Kerberos V5 security protocol is the default authentication
technology. The Kerberos protocol issues tickets, or virtual proof-ofidentity
cards, when a computer logs on to a trusted domain. This method can
be used for any clients running the Kerberos V5 protocol (whether or
not they are Windows-based clients) who are members of a trusted
domain.
• Certificates.
This requires that at least one trusted certificate authority (CA)
has been configured. Windows 2000 supports X.509 Version 3
certificates, including CA certificates generated by commercial
certifying authorities. A rule may specify multiple authentication
methods. This ensures that a common method can be found when
negotiating with a peer.
• Preshared
Key.
This is a shared key that is secret and is previously agreed on by
two users. It is quick to use and does not require the client to run
the Kerberos protocol or have a public key certificate. Both parties
must manually configure IPSec to use this preshared key. This is a
simple method for authenticating non-Windows-based hosts and
stand-alone hosts.
IPSec
Policies and Rules
An IPSec policy is a collection of rules and key exchange settings.
The policy may be assigned as a domain security policy or an
individual computer’s security policy. A domain computer will
automatically inherit the IPSec policy assigned to the domain
security policy when it logs on to the domain. If a computer is not
connected to a domain, IPSec policies are stored in and retrieved
from the computer registry. One security policy can be created for
all users on the same network or all users in a particular
department. IPSec policies are created with the IPSec Management
snap-in for a Windows 2000 member server.
Rules
Rules govern how and when IPSec is used. A rule contains a list of
IP filters and specifies the security actions that will take place
when a filter match occurs. A rule is a collection of IP filters,
negotiation policies, IP tunneling attributes, adapter types and
authentication methods. Each policy may contain multiple rules.
Monitoring
and Troubleshooting Tools
IP Security Monitor (IPSECMON.EXE), monitors IP SAs, rekeys,
negotiation errors, and other IP Security statistics.
Using
Network Monitor
Network Monitor captures all information transferred over a network
interface at any given time. Network Monitor version 2.0 contains
parsers for IPSec packets. If IPSec is encrypting the packets, then
the contents will not be visible, but the packet itself will. If
only authentication is being used, the entire packet, including its
contents, will be visible.
WINS
in a Windows 2000 Network Infrastructure
Resolving NetBIOS Names with WINS
When a client needs to contact another host on the network, it first
contacts the WINS server to resolve the IP address using mapping
information from the database of the server. The relational database
engine of the WINS server accesses an indexed sequential access
method (ISAM) database. The ISAM database is a replicated database
that contains NetBIOS computer names and IP address mappings. For a
WINS client to log on to the network, it must register its computer
name and IP address with the WINS server. This creates an entry in
the WINS database for every NetBIOS service running on the client.
Because these entries are updated each time a WINS-enabled client
logs on to the network, information stored in the WINS server
database remains accurate.
Installing
WINS
1. In Control Panel, double-click Add/Remove Programs.
2. Click Add/Remove Windows Components.
3. Under Components, click Networking Services, then click Details.
4. Select the Windows Internet Name Service (WINS) check box, click
OK, then click Next.
Using
Static Mappings
Mapped name-to-address entries can be added to WINS in either of two
ways: dynamically or manually. Dynamically, WINS-enabled clients
directly contact a WINS server to register, release, or renew their
NetBIOS names in the server database.
Manually,
an administrator uses the WINS console or command-line tools to add
or delete statically mapped entries in the server database.
Troubleshooting
WINS
Initially, verify that the appropriate services are running from
either the WINS server or WINS client. Failed name resolution is the
most common WINS client problem.
When name
resolution fails at a client, verify if the client computer is able
to use WINS, and is it correctly configured. If the WINS server does
not respond to a direct ping, check network connectivity between the
client and the WINS server. The inability to resolve names for
clients is the most common WINS server problem. When a server fails
to resolve a name for its clients, the failure most often is
discovered by clients with “Name not found” error messages, or
the server sending a positive response back to the client, but the
information contained in the response is incorrect. Use Event Viewer
or the WINS management console to see if WINS is currently running.
If WINS is
running on the server, search for the name previously requested by
the client to see if it is in the WINS server database. If the WINS
server is failing or registering database corruption errors, use
WINS database recovery techniques to restore WINS operations. You
can back up the WINS database by using the WINS administrative
console. To do this, specify a backup directory for the database,
and then WINS will execute database backups. By default, backups are
performed every three hours. To restore a local server database,
replicate data back from a replication partner.
If the
corruption is limited to a certain number of records, you can repair
them by forcing replication of uncorrupted WINS records. This will
remove the affected records from other WINS servers. If changes are
replicated among WINS servers quickly, restore a local WINS server
database by using a replication partner.
Configuring
WINS Replication
Replicating databases enables a WINS server to resolve NetBIOS names
of hosts registered with another WINS server. To replicate database
entries, each WINS server must be configured as either a pull or a
push partner with at least one other WINS server. A push partner is
a WINS server that sends a message to its pull partners notifying
them when its WINS database has changed. When a WINS server’s pull
partners respond to the message with a replication request, the WINS
server sends a copy of its new database entries (replicas) to its
pull partners. A pull partner is a WINS server that requests new
database entries (replicas) from its push partners. This is done by
requesting entries with a higher version number than the last
entries it received during the last replication. Database
replication requires that you configure at least one push partner
and one pull partner. The four methods of starting the replication
of the WINS database are:
1. At
system startup. Once a replication partner is configured, by
default, WINS automatically pulls database entries each time WINS is
started. The WINS server can also be configured to push on system
startup.
2. At a
configured interval , such as every eight hours.
3. When a
WINS server has reached a configured threshold for the number
of registrations and changes to the WINS database.
4. By forcing
replication in the WINS administrative console.
WINS
Automatic Replication Partners
The WINS server can be configured to automatically find other WINS
servers on the network by multicasting to the IP address 224.0.1.24,
if your network supports multicasting.
This
multicasting occurs by default every 40 minutes. Any WINS servers
found on the network are automatically configured as push and pull
replication partners, with pull replication set to occur every two
hours. If network routers do not support multicasting, the WINS
server will find only other WINS servers on its subnet.
Automatic
WINS server partnerships are turned off by default. To manually
disable this feature, use the Registry Editor to set UseSelfFndPnrs
to 0 and McastIntvl to a large value.
Backing
Up the WINS Database
The WINS console provides backup tools so that you can back up and
restore the WINS database. When WINS backs up the server database,
it creates a \Wins_bak\New folder under the backup folder you have
specified as the Default backup path in Server Properties. By
default, the backup path is the root folder on your system
partition. After you specify a backup folder for the database, WINS
performs complete database backups every three hours using the
specified folder. WINS can also be configured to back up the
database automatically when the service is stopped or the server
computer is shut down.
IP
Routing in a Windows 2000 Network Infrastructure
Overview of Routing
Each packet sent over a LAN has a packet header that contains source
and destination address fields. Routers match packet headers to a
LAN segment and choose the best path for the packet, optimizing
network performance. A routing table contains entries with the IP
addresses of router interfaces to other networks that it can
communicate with. A routing table is a series of entries, called routes,
that contain information on where the network IDs of the
internetwork are located.
Routing
Protocols
Dynamic routing is a function of routing protocols, such as the
Routing Information Protocol (RIP) and Open Shortest Path First (OSPF).
Routing protocols periodically exchange routes to known networks
among dynamic routers. If a route changes, other routers are
automatically informed of the change. You must have multiple network
adapters (one per network) on a Windows 2000 Server or Windows 2000
Advanced Server. In addition, you must install and configure Routing
and Remote Access because dynamic routing protocols are not
installed by default when you install Windows 2000.
Routing
Information Protocol (RIP)
RIP is a distance-vector routing protocol provided for
backwards-compatibility with existing RIP networks. RIP allows a
router to exchange routing information with other RIP routers to
make them aware of any change in the internetwork layout. RIP
broadcasts the information to neighboring routers, and sends
periodic RIP broadcast packets containing all routing information
known to the router. These broadcasts keep all internetwork routers
synchronized.
Open
Shortest Path First (OSPF)
OSPF is a link-state routing protocol that enables routers to
exchange routing information and create a map of the network that
calculates the best possible path to each network. Upon receiving
changes to the link state database, the routing table is
recalculated.
As the
size of the link state database increases, memory requirements and
route computation times increase. OSPF divides the internetwork into
collections of contiguous networks called areas. Areas are connected
to each other through a backbone area. A backbone router in OSPF is
a router that is connected to the backbone area. Backbone routers
include routers that are connected to more than one area.
Backbone
routers do not have to be area border routers. Routers that have all
networks connected to the backbone are internal routers. Each router
only keeps a link state database for those areas that are connected
to the router. Area Border Routers (ABRs) connect the backbone area
to other areas.
Installing,
Configuring, and Troubleshooting Network Address Translation
Network Address Translation (NAT)
NAT enables private IP addresses to be translated into public IP
addresses for traffic to and from the Internet. It allows computers
on a network to share a single Internet connection with only a
single public IP address. The computer on which NAT is installed can
act as a network address translator, a simplified DHCP server, a
Domain Name System (DNS) proxy, and a Windows Internet Name Service
(WINS) proxy.
NAT allows
host computers to share one or more publicly registered IP
addresses, helping to conserve public address space.
Certificate
Services
Overview of Certificates
A certificate is a digital document that verifies that the public
key contained in the certificate actually belongs to the entity
named in the certificate. Certificate Services includes two policy
modules that permit two classes of CAs: Enterprise CAs and
Stand-Alone CAs. The policy modules define the actions that a CA can
take when it receives a certificate request, and can be modified if
necessary.
Enterprise
CAs
In an enterprise, the enterprise root CA is the most trusted CA.
There can be only one enterprise root CA in any given hierarchy, but
there can be more than one enterprise root CA in a Windows 2000
domain. All other CAs in the hierarchy are enterprise subordinate
CAs.
Stand-Alone
CAs
An organization that issues certificates to users or computers
outside the organization should install a stand-alone CA. As with
Enterprise CAs, there can be only one standalone CA per hierarchy,
but multiple Stand-Alone CAs can exist. All other CAs in a hierarchy
are either stand-alone subordinate CAs or enterprise subordinate CAs.
A stand-alone CA has a simple default policy module. It does not
store any information remotely.
Installing
a Stand-Alone Subordinate CA
1. From Control Panel, select Add/Remove Programs.
2. Click Add/Remove Windows Components.
3. Check the box next to Certificate Services, then click Next.
4. Select Stand-Alone Root CA, then click Next.
5. Fill in the CA identifying information. For CA name, type
ComputernameCA. Click Next.
6. Use the default data storage locations, then click Next.
7. During the CA installation process, you will need to give the
location of the CERTSRV.* installation files.
8. Click Finish.
9. Close the Add/Remove Programs window.
Requesting
and Installing a Certificate From The Local CA
1. Run Certificate Authority Manager.
2. Run Internet Explorer and connect to http://<your_server>/certsrv/default.asp.
3. Request a Web browser certificate. The request will be pending.
Close Internet Explorer.
4. Open Certificate Authority and select the Pending Requests
folder. Right-click your request and choose Issue from the All Tasks
menu.
5. In the left pane select the Issued Certificates folder, your
request has been issued.
6. Run Internet Explorer, connect to http://<your_server>/certsrv/default.asp,
check on the Pending Certificate Request, then install the
certificate.
7. From the Tools menu, click Internet Options, Content, then
Certificates.
Revoked
Certificates
When a certificate is marked as revoked, it is moved to the Revoked
Certificates folder. The revoked certificate will appear on the CRL
the next time it is published.
Certificates
revoked with the reason code Certificate Hold can be unrevoked, left
on Certificate Hold until they expire, or have their revocation
reason code changed. This is the only reason code that allows you to
change the status of a revoked certificate.
EFS
Recovery Policy
EFS requires an encrypted data recovery agent policy before it can
be used. Only members of the Domain Administrators group can
designate another account as the recovery agent account. If there
are no domains, the computer’s local Administrator account is the
default recovery agent account. A recovery agent account is used to
restore data for all computers covered by the policy. If a user’s
private key is lost, a file protected by that key can be backed up,
and the backup sent by means of secure email to a recovery agent
administrator. The administrator restores the backup copy, opens it
to read the file, copies the file in plain text, and returns the
plain text file to the user using secure e-mail again. As an
alternative, the administrator can go to the computer that has the
encrypted file, import his or her recovery agent certificate and
private key, and perform the recovery locally.
|
