|
MAIN
|
TOGGIT IN SEARCH OF CERTIFICATION
|
Managing a Windows 2000 Network
Configure, administer, and troubleshoot DNS
DNS provides the name resolution backbone for the Internet today. With the introduction of the Active Directory, it is now also the backbone of Microsoft’s name resolution.
The DNS is a service used on the Internet for resolving fully qualified domain names
(FQDN) to their actual Internet Protocol (IP) addresses. The FQDN is read from left to right, with each host name or domain name specified by a period. An example of an FQDN is
www.certifyexpress.com.
Let’s talk about the DNS hierarchy, the hierarchy starts with a root container, called the root domain. Directly below the root domain are the TLDS (or sometimes called first-level domains).
The TLDs are summarized in the following table:
Name-Description
Arpa-Reverse DNS Owned by Advanced Research Project Agency (ARPA).
Com-Commercial Organization
Edu-Educational Institution
Gov-Non-military government organizations
Int-To register reverse mapping of Internet Protocol version 6 (IPv6) addresses assigned by IANA to DNS domain names in the ip6.int domain for computers that use those addresses on the Internet.
Mil-Military agencies
Net-Organizations that provide large-scale Internet or telephony-based service.
Org-Non-profit,non-commercial organizations.
Click here for more info...
Registering a Domain Name
When an organization wants to establish a domain name in Internet, the domain name must be registered with one of the authorized registration authorities like
InterNIC. To ensure your chosen domain name has not been used by another company, you must verify the name at
Click here for more info..., and then to register it.
Understanding Order of Name Resolution
The DNS name server resolves a name to an IP address using the following process: The client checks its local Host files. If answer unsuccessful.
1. The client passes the request onto the name server, which check its DNS cache. If unsuccessful.
2. The DNS Server looks in a local memory cache for names it has recently been resolved. If the name is found in the local cache, the name server returns the IP address the client computer requires
3. The name server looks in the DNS server's host tables to see if there is a static entry (or in case of Dynamic DNS, a dynamic entry) for hostname to an IP address lookup. If an entry exists, the DNS server forwards the IP address to the client computer.
4. If unsuccessful, the DNS server passes the request onto a root name server.
5. The root name server passes the request to the appropriate first-level domain name server and so on until a name server can resolve the name.
6. The first name server that can resolve the hostname to an IP address reports the IP address to the client computer.
Difference between traditional DNS and Windows 2000 DNS
1. Notification-driven zone Transfers. The standard model for DNS updates requires secondary name servers to periodically poll the master server for table updates. Under the Windows 2000's
DNS, the master server can notify the secondaries when an update has occurred. Updates are no longer dependent on polling intervals. Allows much faster distribution of changes.
2. Integrated zone tables. With the Windows 2000 DNS Server service, you can integrate DNS into the Active Directory, and now resource records are stored in AD and can be updated by any domain controller running DNS. This integration is a proprietary feature of Windows 2000.
3. Incremental zone transfers. The standard model for DNS zone transfers is to transfer the entire whenever an update has occurred. It is far more efficient than the standard model as only incremental changes are transferred instead of whole zone is transferred.
4. Secure DNS updates. Windows 2000 DNS updates can be restricted to authorized
secondaries.
To enable DNS dynamic update on a W2K DNS Server, procedure please check the following
url:
Click here for more info...
5. DNS-DHCP Integration. The power of Dynamic DNS (DDNS) is the integration of DHCP with the DNS table. Any Windows 2000 DHCP client computer will be automatically be added to DNS table at the time of its IP address is issued.
Click here for more info...
Click here for more info...
Reverse Lookups
Reverse lookups is the reverse of forward lookups. In reverse lookup you already know the IP address but you do not know the host name.
Reverse lookup zone is also necessary for proper operation of the Nslookup command.
Without reverse lookup zone and you type Nslookup at the command prompt, you will receive the following message:
Server: Unknown
Address: 192.168.0.1
*** Unknown. Can’t find nslookup : non-existent domain.
Note: When you promote a standalone W2K server to a W2K domain controller by running
dcpromo, the Active Directory Installation Wizard does not automatically add a reverse lookup zone and PTR resource records. Reason:Reverse Lookup Zone may be controlled by another server.
A pointer record (PTR) needed to be created if you wish to use reverse lookup zone.
Click here for more info...
To have pointer record automatically created, select “Create associated pointer
(PTR) record” when creating a new host record in the Forward Lookup zone.
The naming convention for a reverse lookup zone is: First Octets of the IP address.in-addr.arpa
Thus, the reverse table for the IP network 192.168.0.15 is 0.168.192.in-addr.arpa.
Now try to get familiar different resource record.
CNAME (Canonical name) - indicates an alias domain name for a name already specified in another resource type in this zone.
A (Address) resource record – A resource record used to map a DNS domain name to a host IP address on the network.
Forward lookup zone is a zone that contains information needed to resolve names within the DNS domain.
Host Files- A static database file used to resolve names on TCP/IP networks.
Lmhosts Files – A local text file that maps IP addresses to the computer names of Windows 2000 networking computers outside the local subnet. In Windows 2000, this file is stored in the systemroot \System32\Drivers\Etc folder.
Click here for more info...
Create and Configure DNS Zone.
In a DNS database, a zone is a subtree of the DNS database that is administered as a single separate entity, a DNS server. This administrative unit can consist of a single domain or a domain with
subdomains. A DNS zone administrator sets up one or more name servers for the zone.
There are 3 types of zone storages.
1. Active Directory- Integrated. This zone option stores all DNS information in the AD. This is most secured option for maintaining DNS table as the DNS table cannot be read by a text editor such as Notepad.
2. Standard primary- Zone information is stored in a text file on a server that is authoritative for a zone, like most non-Windows 2000 DNS server. You can have only one standard primary server per zone.
3. Standard Secondary- It contains a read-only copy of an existing zone. The master copy is a read/write copy of zone database.
To store a zone in Active Directory, you can either create an Active Directory–integrated zone or convert a primary or secondary zone to be Active Directory–integrated. You can also convert AD-integrated zone back to standard primary or secondary.
For AD-integrated zone, any zone you create is automatically replicated to all domain controllers in the zone. Therefore, do not create the same zone on more than one domain controller.
Notes on converting a Standard Zone to an Active Directory – Integrated Zone : For a DNS server to use AD-Integrated zone, the server must be running on a DNS server.
2. You cannot load Active Directory–integrated zones from other domains. If you want your DNS server to be authoritative for an Active Directory–integrated zone from another domain, the server can only be a secondary server for that zone. This point is very important in exam.
3. There is no such thing as an Active Directory–integrated secondary zone. When you store a zone in Active Directory, all domain controllers can update the zone.
4. You cannot have at the same time both an Active Directory–integrated zone and a standard primary copy of the same zone.
You can convert an Active Directory–integrated zone to either a standard primary or standard secondary zone.
If you convert an Active Directory–integrated zone to a standard primary zone, the zone is copied to a standard file on that server and is deleted from Active Directory. The zone no longer appears on other Active Directory–integrated DNS servers.
If you convert an Active Directory–integrated zone to a standard secondary zone, the zone is copied to the name server on which you converted the zone. That server no longer loads the zone from Active Directory, but it has its own secondary copy of the zone. It requests zone transfers from whatever server you specified as the primary server for the zone.
Deleting Zones
If you delete a standard secondary zone from a domain controller, it is generally deleted from that domain controller. However, if a corresponding Active Directory – integrated zone exists, and you have configured the DNS server to load data on startup from Active Directory and the registry, the zone reappears as an Active Directory–integrated primary zone. You can then delete the Active Directory–integrated zone from the computer or from Active Directory.
Creating a Secondary Copy of an Active Directory – Integrated Zone
It is possible to integrate a zone in Active Directory and then add a secondary copy of the zone on another DNS server. You might want to create a secondary copy of an Active Directory–integrated zone; for example, if you have a remote site from which your users need to be able to resolve names, but you do not want to increase your network traffic by adding a domain controller, you might want to create a secondary copy of the zone.
Multimaster replication
Active Directory supports multimaster replication, which is replication in which any domain controller can send or receive updates of information stored in Active Directory. Replication processing is performed on a per-property basis, which means that only relevant changes are propagated. Replication processing differs from DNS full zone transfers, in which the entire zone is propagated. Replication processing also differs from incremental zone transfers, in which the server transfers all changes made since the last change. With Active Directory replication, however, only the final result of all changes to a record is sent.
When you store a primary zone in Active Directory, the zone information is replicated to all domain controllers within the Active Directory domain. Every DNS server running on a domain controller is then authoritative for that zone and can update it.
Name Collisions
Because all domain controllers in the domain can make changes to the same zone, it is possible for someone to update a property of an Active Directory object on one domain controller and someone else to update the same property on another domain controller simultaneously (or nearly simultaneously), thus making the information about the property on one domain controller inconsistent with that on the other domain controller. When a property changes in a second domain controller before a change from the first server replica has been propagated, a replication collision occurs.
Replication collisions can affect Active Directory–integrated DNS zones. Suppose that the same name is simultaneously created within the same domain and on two different domain controllers. The changes replicate, and Active Directory determines that there are two different dnsNode objects that have the same name. To solve the problem, the replication subsystem of Active Directory changes the name of the object that was created first by adding to the name a special character and a globally unique identifier
(GUID), which is a unique 128-bit number that Active Directory associates with an object to make the object unique. This “disambiguates” the name of the object so that the two objects have different names. The next time that the DNS server pulls changes from Active Directory, the DNS server deletes the copy of the host object with the
GUID. Thus, DNS accepts the last name to be created.
If you simultaneously modify a name object on two different server replicas, Active Directory must decide which change (attribute value) will be accepted and which will be discarded. To do so, Active Directory selects the attribute value that has the highest version number. If the version numbers are the same, Active Directory selects the attribute value that has the latest timestamp. Thus, DNS accepts the second change.
Causing Immediate Replication
When setting up DNS or troubleshooting replicas, you might not want to wait for the normal replication cycle. If so, you can cause replication to take place immediately. Keep in mind that your network performance affects how long it takes to update the target domain controller.
Steps to invoke immediate replication
First, expands the Sites container, expand the appropriate site object,expand the server container and expand the appropriate server object.
Next, double-click NTDS Settings, right-click the appropriate connection object, and select Replicate Now from the shortcut menu.
Start Of Authority Resource Record
Always remember SOA (Start of Authority)record is kept by Primary server. If question ask to retain SOA record at particular server, then the other server must keep the secondary zone.
Zone transfer can be initiated either by a request from secondary server or Primary Server has notified the Secondary server of changes in database.
Click here for more info...
Further Reading on DNS
Click here for more info...
Click here for more info...
Click here for more info...
DHCP
DHCP stands for Dynamic Host Configuration Protocol. It has eased the headaches for network administrator in managing the client IP address. If you manually manage your IP addresses, almost any change to the network will require a visit to one or more computers to update the TCP/IP configuration.
Move a client computer to a new subnet, and you have to update its IP address.
DHCP is used not only to dynamically allocate IP addresses, but also plays a critical part in registering hosts in the Microsoft Active Directory.
How a client computer gets an address in DHCP Protocol?
The client computer broadcasts a DHCP Discover message to DHCP server.
The DHCP Server offers an IP address (respond with a DHCP Offer message).
The client computer accepts the address and sends a request (DHCP Request) to use that address back to the DHCP Server.
The DHCP server acknowledges (DHCP ACK) the request and grants the client computer a lease to use the address. The client computer uses the address to connect to the network.
Troubleshooting DHCP
Your manager will generally ask why there is a need to install a Windows 2000 DHCP in your network? Why not use the NT 4 DHCP Server? The answer is fine if you maintain a legacy domain and WINS-style network. If you wish to do away the legacy WINS architecture, then you will need the Windows 2000 DHCP services.
DHCP Scopes
A scope is a range of IP addresses that are available for dynamic assignment to hosts on given subnet.
DHCP Option
Click here for more info...
Authorize a DHCP server in Active Directory
In Windows 2000, a DHCP server cannot provide services to clients until it has been authorized in Active Directory. This prevents unauthorized DHCP servers from running on your network.
This is accomplished by adding the IP address of the DHCP server into Active Directory and requires Enterprise Administrator.
Procedures taken to authorize a DHCP Server
1. Open the DHCP manager application
2. Select the DHCP server you want to authorize and click the Action menu Select the Authorize action. This will take a few minutes. When the process is complete, your scope appears in the contents of DHCP Server with an Active status. Your server is now ready to issue addresses when it receives a DHCP request.
If your DHCP server is suddenly down in your network and you try to bring in a new DHCP server.
For the new DHCP server to takeover ownership of records of previous DHCP Server, you need to add the DNS update proxy global Security group.
Click here for more info...
Configuring DHCP for DNS Integration
Three settings can be set for DNS integration:
1. Automatically Update DHCP Client Information in DNS
This is enabled by default. If selected, the DHCP server registers the DHCP client for both forward (A-type records) and reverse
(PTR-type records) lookups in DNS.
If you have older Microsoft or non-Microsoft client computers on your network, you may want to change this to Always Update DNS. If the Always Update DNS option is selected, the DHCP server
always registers the DHCP client for both the forward (A-type records) and reverse
(PTR-type records) lookups with DNS.
2. Discard Forward (Name-to-Address) Lookups when Lease Expires.
This is also enabled by default. After the lease for an IP address expired, the DHCP discards any resolution request.
3. Enable Updates for DNS Clients That Do Not Support Dynamic Update.
You may enable it if you are using AD in a mixed client environment.
DHCP/DNS update interaction for Windows 2000 DHCP clients By default, the client sends a DNS update request to the DNS server for its own forward lookup record, a and a host (A) resource record.
Alternately, DHCP server sends a DNS update request to the DNS server for clients’ PTR resource record. Client will update A (Host) name. This arrangement requires the client and its configuration are modified accordingly.
DHCP/DNS update interaction for earlier Windows DHCP clients (prior to Windows 2000) DHCP server sends a DNS update request to DNS Server for clients” PTR record as as A record.
Click here for more info...
What do you meant by DHCP option 81?
Option to register and update the pointer (PTR) and address (A) resource records onto DNS Server on behalf of its DHCP-enabled clients.
Click
Here
Troubleshooting Name Resolution Problem
You can troubleshoot name resolution by using: nslookup
Nslookup is useful in performing query testing and troubleshooting DNS.
Nslookup has two modes, interactive and non-interactive.
If you need to look up only a single piece of data, use non-interactive mode
If you type nslookup at command prompt, following message will appear.
G:\>nslookup
Default Server: george.kingswood.com
Address: 192.168.100.18
Time-Out Problem in Nslookup
Click here for more info...
Nslookup subcommands
Click here for more info...
Netdiag Command
NetDiag is a command-line, diagnostic tool included with the Support Tools on the Windows 2000 Setup CD that helps isolate networking and connectivity problems by performing a series of tests to determine the state of your network client. NetDiag diagnoses network problems by checking all aspects of a host computer’s network configuration and connections. Beyond troubleshooting TCP/IP issues, it also examines a host computer’s Internetwork Packet Exchange (IPX) and NetWare configurations.
Click here for more info...
Click here for more info...
If you type netdiag at command prompt, following message will appear.
C:\>netdiag
Computer Name: GEORGE
DNS Host Name: george.Kingswood.com
System info : Windows 2000 Server (Build 2195) Processor : x86 Family 6 Model 4 Stepping 2, authenticated List of installed hotfixes :
Q147222
Netcard queries test . . . . . . . : Passed
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : george
IP Address . . . . . . . . : 192.168.100.18
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.100.2
Dns Servers. . . . . . . . : 192.168.100.18
202.188.0.133
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
No remote names have been found.
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{F3F28712-31A0-45EC-9688-1C9EE26E7407} 1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
PASS – All the DNS entries for DC are registered on DNS server ‘192.16 18’ and other Dcs also have some of the names registered.
[WARNING] The DNS entries for this DC cannot be verified right now server 202.188.0.133, ERROR_TIMEOUT.
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir NetBT_Tcpip_{F3F28712-31A0-45EC-9688-1C9EE26E7407} The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser NetBT_Tcpip_{F3F28712-31A0-45EC-9688-1C9EE26E7407} The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Skipped
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is assigned.
The command completed successfully
Nbtstat Command
Nbtstat is a useful tool for troubleshooting NetBIOS name resolution problems
· nbtstat –n Displays the names that were registered locally on the system by programs such as the server and redirector.
· nbtstat –c shows the NetBIOS name cache, which contains name-to-address mappings for other computers.
· nbtstat –R purges the name cache and reloads it from the Lmhosts file.
· nbtstat –RR releases NetBIOS names registered with a WINS server and then renews their registration.
· nbtstat –a name performs a NetBIOS adapter status command against the computer specified by name. The adapter status command returns the local NetBIOS name table for that computer plus the media access control address of the adapter.
· nbtstat –S lists the current NetBIOS sessions and their status, including statistics.
Ipconfig Command
Parameters
/all
Produces a full display. Without this switch, ipconfig displays only the IP address, subnet mask, and default gateway values for each network card.
/renew [adapter]
· Renews DHCP configuration parameters. This option is available only on systems running the DHCP Client service. To specify an adapter name, type the adapter name that appears when you use.
ipconfig without parameters.
/release [adapter]
Releases the current DHCP configuration. This option disables TCP/IP on the local system and is available only on DHCP clients. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
With no parameters, the ipconfig utility presents all of the current TCP/IP configuration values to the user, including IP address and subnet mask. This utility is especially useful on systems running DHCP, allowing users to determine which values have been configured by DHCP.
IPConfig /Registerdns – forces the DHCP client to release the current IP configuration, renew the IP configuration, and reregister client's DNS names with DNS. Reregistering Client's DNS names with DNS will force the client's DNS entries into DNS.
IPConfig/Flushdns – removes any cached DNS queries from the local DNS client.
Please note the following difference in using DNS and Wins.
DNS to provide FQDN resolution for all client computers running Microsoft Windows operating systems, Macintosh operating systems, and UNIX.
WINS to provide NetBIOS name resolution for all client computers running Microsoft Windows operating systems and UNIX.
FQDNs look like names used in Uniform Resource Locator on the Internet for example, www.microsoft.com. NetBIOS names are 15 characters or fewer in length and do not contain periods.
Any application that uses the NetBIOS over TCP/IP (NetBT) protocol requires NetBIOS name resolution. Any application that uses Windows Sockets (Winsock) can use either host names or NetBIOS name.
Arp Command
Displays and modifies the IP – to - Ethernet or token ring physical address translation tables used by the Address Resolution Protocol (ARP). This command is available only if the TCP/IP protocol has been installed.
Parameters
-a
Displays current ARP entries by querying TCP/IP. If inet_addr is specified, only the IP and physical addresses for the specified computer are displayed.
-g
Identical to -a.
inet_addr
Specifies an IP address in dotted decimal notation.
-N
Displays the ARP entries for the network interface specified by if_addr.
if_addr
Specifies, if present, the IP address of the interface whose address translation table should be modified. If not present, the first applicable interface is used.
-d
Deletes the entry specified by inet_addr.
-s
Adds an entry in the ARP cache to associate the IP address inet_addr with the physical address ether_addr. The physical address is given as 6 hexadecimal bytes separated by hyphens. The IP address is specified using dotted decimal notation. The entry is permanent, that is, it is automatically removed from the cache after the time-out expires.
Route Command
- Manipulates network routing tables.
Parameters
-f
Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command.
-p
When used with the add command, makes a route persistent across boots of the system. By default, routes are not preserved when the system is restarted. When used with the print command, displays the list of registered persistent routes. Ignored for all other commands, which always affect the appropriate persistent routes.
Command- Specifies one of the following commands.
Command-Purpose
print-Prints a route
add-Adds a route
delete-Deletes a route
change-Modifies an existing route
destination
Specifies the computer to send command.
mask subnetmask
Specifies a subnet mask to be associated with this route entry. If not specified, 255.255.255.255 is used.
gateway
Specifies gateway.
All symbolic names used for destination or gateway are referenced in both the network database file called Networks, and the computer name database file called Hosts. If the command is print or delete, wildcards may be used for the destination and gateway, or the gateway argument may be omitted.
metric costmetric
Assigns an integer cost metric (ranging from 1 to 9999) to be used in calculating the fastest, most reliable, and/or least expensive routes.
Tracert Command
This diagnostic utility determines the route taken to a destination by sending Internet Control Message Protocol (ICMP) echo packets with varying Time-To-Live (TTL) values to the destination. Each router along the path is required to decrement the TTL on a packet by at least 1 before forwarding it, so the TTL is effectively a hop count. When the TTL on a packet reaches 0, the router is supposed to send back an ICMP Time Exceeded message to the source system. Tracert determines the route by sending the first echo packet with a TTL of 1 and incrementing the TTL by 1 on each subsequent transmission until the target responds or the maximum TTL is reached. The route is determined by examining the ICMP Time Exceeded messages sent back by intermediate routers.
Parameters
-d
Specifies not to resolve addresses to computer names.
-h maximum_hops
Specifies maximum number of hops to search for target.
-j computer-list
Specifies loose source route along computer-list.
-w timeout
Waits the number of milliseconds specified by timeout for each reply.
target_name
Name of the target computer.
Pathping Command
- sends packets to each router on the way to a final destination over a period of time, and then computes results based on the packets returned from each hop. Since pathping shows the degree of packet loss at any given router or link, you can determine which routers or links might be causing network problems.
Parameters
-n
Does not resolve addresses to host names.
-h maximum_hops
Specifies maximum number of hops to search for the target. Default is 30 hops.
-g host-list
Allows consecutive computers to be separated by intermediate gateways (loose source route) along host-list.
-p period
Specifies number of milliseconds to wait between consecutive pings. Default is 250 milliseconds (1/4 second).
-q num_queries
Specifies number of queries to each computer along the route. Default is 100.
-w timeout
Specifies number of milliseconds to wait for each reply. Default is 3000 milliseconds (3 seconds).
-T
Attaches a layer-2 priority tag (for example, 802.1p) to the ping packets that it sends to each of the network devices along the route. This helps identify network devices that do not have layer-2 priority configured. This parameter must be capitalized.
-R
Checks to see if each network device along the route supports the Resource Reservation Setup Protocol (RSVP), which allows the host computer to reserve a certain amount of bandwidth for a data stream. This parameter must be capitalized.
target_name
Specifies the destination endpoint, identified either by IP address or host name.
Ping Command
The ping command helps to verify IP-level connectivity. When troubleshooting, you can use ping to send an ICMP echo request to a target host name or IP address. Use ping whenever you need to verify that a host computer can connect to the TCP/IP network and network resources.
Parameters
-t
Pings the specified computer until interrupted.
-a
Resolves addresses to computer names.
-n count
Sends the number of ECHO packets specified by count. The default is 4.
-l length
Sends ECHO packets containing the amount of data specified by length. The default is 32 bytes; the maximum is 65,527.
-f
Sends a Do not Fragment flag in the packet. The packet will not be fragmented by gateways on the route.
-i ttl
Sets the Time To Live field to the value specified by ttl.
-v tos
Sets the Type Of Service field to the value specified by tos.
-r count
Records the route of the outgoing packet and the returning packet in the Record Route field. A minimum of 1 and a maximum of 9 computers can be specified by count.
-s count
Specifies the timestamp for the number of hops specified by count.
-j computer-list
Routes packets by way of the list of computers specified by computer-list. Consecutive computers can be separated by intermediate gateways (loose source routed). The maximum number allowed by IP is 9.
-k computer-list
Routes packets by way of the list of computers specified by computer-list. Consecutive computers cannot be separated by intermediate gateways (strict source routed). The maximum number allowed by IP is 9.
-w timeout
Specifies a time-out interval in milliseconds.
destination-list
Specifies the remote computers to ping.
Wins
Wins is only required in mixed network environment. In a pure Windows 2000 Microsoft has done away the WINS. Four elements can be found in a Wins network.
Wins servers.- When Wins client computers enter the network, they contact a Wins server and try to register its name with the WINS Server. The Wins Server try to resolve NetBIOS names to IP address.
Wins client computers – Wins client computers use directed P-node messages to communicate with Wins Server and are typically configured to use H-node communication. Windows 2000, Windows NT ,Windows 95 and 98, and Windows for workgroup.
Older Microsoft network client computers can't use P-node. Their broadcast messages are intercepted by proxy computers which pass the messages to Wins Server for resolution.
Wins Proxies- NT, Win95 & Win98 and Windows for Workgroup client computers can function as Win Proxy.
For NetBIOS name resolution, WINS Client typically performs the following general sequence of steps to resolve a name:
1. Client checks to see if the name queried is its local NetBIOS computer name, which it owns.
2. Client checks its local NetBIOS name cache of remote names. Any name resolved for a remote client is placed in this cache. The cache will remain for 10 minutes.
3. Client forwards the NetBIOS query to its configured primary WINS server. If the primary WINS server fails to answer the query--either because it is not available or because it does not have an entry for the name--the client will try to contact other configured WINS servers in the order they are listed and configured for its use.
4. Client broadcasts the NetBIOS query to the local subnet.
5. Client checks the Lmhosts file for a match to the query, if it is configured to use the Lmhosts file.
6. Client tries the Hosts file and then a DNS server, if it is configured for one.
If WINS enabled on a W2K Pro, the systems uses H -node by default. Non-Wins client computers can access WINS through a proxy.
Before you work with WINS, you need to know what are the node types and when they are used:
B-node (broadcast node): Uses broadcast to resolve names.
Shortcoming:
a) Broadcast traffic is undesirable and consumes network bandwidth.
b) P-node (point to point node).-uses point to point communication with a NETBIOS name server (usually WINS Server). WINS server can communicate using directed messages, which can cross routers.
M-node (modified node): Uses B-nodes first and that if that fails, it uses the P-node method.
H-node (Hybrid node): Uses P-nodes method first and if that fails, it uses the B-node method. The default node type for W2K Pro is H-node.
Note: H-node and P-node both favor WINS servers, but H-node can use a broadcast for name resolution if WINS Server is down. P-node will not resort to broadcast if WINS Server is not available in network.
Configuring Wins Replication
Pull replication, your server pulls the database from replication partner. Replication occurs at time-based.
Push replication, your server pushes database to replication. Replication can be event driven, number of database update Or set number of changes in version ID before replication.
Replication Partner type :
push, pull, or push /pull depending on your environment.
Troubleshooting RRAS & VPN
Main changes in Routing and Remote Access in W2K as compared to Ras in NT 4.
A unified service for Routing and Remote Access integrated with the operating system.
A full set of routing protocols for IP and IPX (including noteworthy addition of OSPF).
APIs for third-party routing protocols, user interface and management.
Demand-dial routing.
PPTP Server-to-server for secure VPN.
Remote Authentication Dial-In User Service (Radius) client support.
Consistent management interface for all routing-based activities, including remote access, VPN, and IP and IPX routing.
Fewer reboots. With Windows 2000, the number of times you need to reboot the server is dramatically
lessened. Occasionally,you still need to do reboot.
Additional VPN services and simplified VPN management. The VPN interfaces (PPTP and L2TP) are installed and configured by default, requiring no additional configuration. There is also support for the IPsec protocol.
Network Address Translation Protocol (NAT) has been added.
Additional authentication mechanisms have been added to RRAS, including MS-CHAP v2, Radius, and EAP for smart card and certificate support.
Troubleshoot client to server PPTP and L2TP connections.
If the host or router that is attempting to dial in does not support Microsoft CHAP and does not correctly implement RFC 1331, you may observe delays during authentication that lead to an unsuccessful Point-to-Point Protocol (PPP) connection because of Link Control Protocol (LCP) timeouts.
Click here for more info...
W2K uses 3 types of policies to control Remote Access
· Local Internet Authentication Services policies.
· Central Internet Authentication Services policies
· Group policies.-More Len line with older versions of Remote Access.
Order that policies take effect.
If there is more than one policy condition, they are added together.
The more restrictive policy should be placed lower in the list.
In the Add Remote Access policy dialog box, you can choose to either Grant or Deny remote access permission.
Click here for more info...
Order that policies take effect.
If there is more than one policy condition, they are added together.
The more restrictive policy should be placed lower in the list.
In the Add Remote Access policy dialog box, you can choose to either Grant or Deny remote access permission.
Click here for more info...
Authentication protocol
1)EAP (extensible Authentication Protocol). Smart Card must be used.
2)MS-CHAP V2-Client must be Microsoft operating system. Please note only NT 4 and Windows 98 computers can use only MS-CHAP V2 authentication for VPN connections.
Advantages:
· Mutual authentication
· Stronger initial data-encryption keys.
· Different encryption keys for sending and receiving.
3)MS-CHAP- using MD 5 (Message Digest 5). Does not use clear-text passwords.
4)SPAP – Shiva Password Authentication Protocol- Allow Shiva client computers to connect a Windows Server.
5)PAP- Password Authentication Protocol- uses plain text passwords for authentication.
2 main encryption protocols used with VPN:
· MPPE (Microsoft Point-to-Point Encryption) -used with PPTP (point-to-point tunneling protocol). MPPE can use 40-bit, 56 bit and 128 bit encryption.
· IPSec- used with L2TP.
MPPE use 40-bit (the Basic setting), 56-bit (the Strong setting), or 128-bit (the Strongest setting) encryption keys.
Please note that Data encryption for L2TP connections relies on IPSec, which does not require any specific authentication protocol.
Way of Installing RRAS or VPN
RRAS is preinstalled by default. You must enable it by performing the following:
1.Run Start>Programs>Administrative Tools>Routing and Remote Access
2.Right-click the server and select Configure and Enable Routing and Remote Access.
Five options will be presented:
i. Internet Connection Server – for NAT
ii. Remote Access server – RRAS
iii. Virtual private network (VPN) Server
iv. Network router
v. Manually configured server – It means for setting up VPN server as there is a bug.
Click here for more info...
Strength of Encryption
You can set encryption properties for the following encryption strengths:
No Encryption
When selected, this option allows an unencrypted connection. To require encryption, clear the No Encryption option.
Basic
For dial-up and PPTP-based VPN connections, Microsoft Point-to-Point Encryption (MPPE) with a 40-bit key is used. For L2TP over IPSec-based VPN connections, 40-bit DES encryption is used
Strong
For dial-up and PPTP-based VPN connections, MPPE with a 56-bit key is used. For L2TP over IPSec-based VPN connections, 56-bit DES encryption is used.
Strongest
For dial-up and PPTP based VPN connections, MPPE with a 128-bit key is used. For L2TP over IPSec-based VPN connections,triple DES (3DES) encryption is used."
Internet Authentication Server
Let say you have a W2K Server named ServerA with RRAS installed. The remote access policy for ServerA change frequently. All employees use ServerA to connect at corporate server.
In view of increased number of employees work remotely at home. Three more RRAS Servers are added to in your network.
Now you want to configure all of these RRAS Servers to use the same remote access policies. What should you do?
Solution
1. You need to install Internet Authentication Service on ServerA.
2. Configure other 3 RRAS computers to use Radius authentication and specific ServerA should be used for authentication.
Click here for more info...
IPSec Overview
IPSec is designed to encrypt data as it travels between two computers, protecting the data from modification and interpretation. IPSec is a key line of defense against internal, private network, and external attacks. Although most network security strategies have focused on preventing attacks from outside an organization's network, a great deal of sensitive information can be lost by internal attacks that interpret data on the network. Most data is not protected when it travels across the network, so employees,, supporting staff members, or visitors may be able to plug into your network and copy data for later analysis. They can also mount network-level attacks against other computers. Firewalls offer no protection against such internal threats, so using IPSec offers significantly greater security for corporate data.
IPSec is a Security service that gives administrators the ability to monitor traffic, examine addresses, and apply various security methods to the IP data packet regardless of which program generates the data.
Using IP filtering, IPSec examines all IP packets for addresses, ports, and transport protocols. Rules contained in local or group policies tell IPSec to ignore or secure specific packets, depending on addressing and protocol information.
IPSec and Internet Key Exchange (IKE) is included in Windows 2000 only. Windows 2000 adheres to the IPSec RFC suite (2401+).
Click here for more info...
Click here for more info...
Network Address Translation (NAT)
With network address translation in Windows 2000, you can configure your home network or small office network to share a single connection to the Internet. Network address translation consists of the following components:
· Translation component
The Windows 2000 router on which NAT is enabled, hereafter called the network address translation computer, acts as a network address translator (NAT), translating the IP addresses and TCP/UDP port numbers of packets that are forwarded between the private network and the Internet
· Addressing component
The network address translation computer provides IP address configuration information to the other computers on the home network. The addressing component is a simplified DHCP
· server that allocates an IP address, a subnet mask, a default gateway, and the IP address of a DNS server.
· Name-resolution component
The network address translation computer becomes the DNS server for the other computers on the home network. When name resolution requests are received by the network address translation computer, it forwards the name-resolution requests to the Internet-based DNS server for which it is configured and returns the responses to the home network computer.
NAT uses three pools of private addresses (that cannot route to the Internet):
· 10.0.0.1 to 10.255.255.255
· 172.16.0.0 to 172.31.255.255
· 192.168.0.0 to 192.168.255.255
NAT is used in larger network but ICS (Internet Connections Sharing) is used in smaller network. However ICS supports features not included in NAT, such as H.323 Proxy, Lightweight Directory Access Protocol (LDAP Proxy, and Directplay Proxy).
Benefits of using NAT.
1. security-Dwarf the attempt of uninvited users connecting your private host.
2. IP address Conservation – If your NAT configuration provides only one registered IP address, all internal hosts use same registered address but a random port number.
NAT got two types of interfaces: Public-the connection to Internet; and private;-local network.
Please note that filtering should be done on Public interface instead of Private interface-intranet.
Subnetting
IP addresses are organized by classes: Class A, Class B and Class C.
Class-From-To-Net IDs-Host IDs
A-1-126-126-16777214
B-128-191-16384-65534
C-192-223-2097152-254
Class Subnet Mask
Address-Bits for subnet mask-Subnet Mask
Class A-11111111 00000000 00000000 00000000-255.0.0.0
Class B-11111111 11111111 00000000
00000000-255.255.0.0
Class C-11111111 11111111 11111111
00000000-255.255.255.0
A subnet mask is a method used in TCP/IP to divide the network portion of an IP address from the host portion. A shorthand way to describe a subnet mask is to append a slash ("/") after the IP address followed by a number that indicates how many bits of the IP address belong to the network portion. For example, the address 192.168.33.0/24 represents an IP address of 192.168.33.0 that has a subnet mask of 255.255.255.0. The "/24" is read as "slash 24" and this method of naming is called "classless addressing".
Further Reading
www.learntosubnet.com
Troubleshoot Internet Information Server (IIS)
Windows 2000 comes with IIS 5. The former 0/S came with IIS 4.
1. New security feature in IIS 5
· Digest Authentication Adds security and reliability to user authentication across proxy servers and firewalls. IIS 5.0 still offers previous means of authentication: Anonymous, HTTP Basic, Windows NT Challenge/Response, and NTLM authentication (now known as integrated Windows authentication).
· Server-Gated Cryptography Allows financial institutions with export versions of IIS to use strong 128-bit encryption. Server-Gated Cryptography (SGC) is an extension of Secure Sockets Layer (SSL). Although SGC is built into IIS 5.0, a special SGC certificate is required.
New Security Wizards Simplify server administration tasks.
o Web Server Certificate Wizard Simplifies certificate administration tasks in IIS 5.0. These tasks include, for example, creating certificate requests and managing the certificate life cycle.
o Permissions Wizard Simplifies editing and configuring Web site access, such as assigning access policies to virtual directories and files. The Permissions Wizard can also reflect these Web access policies to NTFS file system permissions.
o CTL Wizard Configures certificate trust lists (CTLs). A CTL is a list of trusted certification authorities for a particular directory. CTLs are especially useful for ISPs who have several Web sites on their server and who need a different list of approved certification authorities for each site.
· Kerberos v5 Authentication Passes authentication credentials among networked computers that are running Microsoft Windows. IIS 5.0 is fully integrated with the Kerberos v5 authentication model implemented in Windows 2000 Server.
· Certificate Storage Stores, backs up, and configures server certificates through a single point of entry. IIS certificate storage is now integrated with Microsoft CryptoAPI (CAPI) storage, which is provided with Windows 2000.
· Fortezza Supports Fortezza, the U.S. government security standard (
Click here for more info...
). This standard satisfies the Defense Messaging System security architecture, by supplying a cryptographic mechanism that features message confidentiality, integrity, authentication, and access control to messages, components, and systems.
2. Fastest web server in W2K server integrated with Active Directory services, makes it possible to deploy scalable and reliable Webbased applications.
2. Advancement in IIS 5 Web Publishing.
3. Adding other products like adding Microsoft Site Server, you can easily manage large clusters, customize logging, and create detailed reports.
Click here for more info...
Configure Virtual Directories
A virtual directory is a directory that is not contained within the Web site's home directory but appears to client browsers as though it is within the home directory. A remote virtual directory has an alias that is mapped to a Universal Naming Convention (UNC) share location.
Physical
Location-Alias-URL
Path
C:\WWWroot-home directory
(none)-http://Sales
\\RemoteServer
\SalesData\ProdCustomers-Customers-http://Sales/Customers
Click here for more info...
Each web site has the ability to host one or more domain names. Because each site mimics the appearance of an individual computer, sites are sometimes also referred to as virtual server.
Troubleshooting Intranet browsing from client computer
Users Cannot Access the Web Server Even Though the Server Is Running, and the Network and Internet Connections are Enabled
I) Verify That WINS Server Is Installed
1. Click Start.
2. Point to Settings.
3. Click Control Panel.
4. Click Add/Remove program.
5. Click Add/Remove Windows Components.
6. Click Networking Services.
7. Click Details.
8. Verify that the WINS Server check box is selected, and properly configured on the network. Also verify that it is functioning.
II) Verify That DNS Server Is Installed
1. Click Start.
2. Point to Settings.
3. Click Control Panel.
4. Click Add/Remove program.
5. Click Add/Remove Windows Components.
6. Click Networking Services.
7. Click Details.
8. Verify that DNS is installed, and that the DNS servers (or server) are connected and working on the network.
Make sure A record is created.
III)Verify That IP Address and Domain Name Are Not Set to Deny Access.
Troubleshooting Internet browsing from client computers
i. Verify DNS server is installed
ii) Verify That IP Address and Domain Name Are Not Set to Deny Access
Configure authentication
Users Can Access Web Server but Not the Contents on Web Server
Verify the Authentication and Encryption Levels on the Web Server
1. Right click the My Computer icon on the desktop, and then click Manage.
2. In the Computer Management dialog box, expand Services and Applications.
3. Double-click Internet Information Services.
4. Right-click the Web site, and then click Properties.
5. On the Directory Security tab, under anonymous access and authentication control, click Edit.
6. Verify that the correct authentication and encryption settings are set at the server.
Configuring Web Server's Access Permissions
You can configure Web Server's access permissions for specific sites, directories and files:
Read- Allow users to view web site.
Write- Users can change file contents and properties.
Scripts Only - scripts (such as ASP, JavaScript, and VBScript) will run on this web site. However, executables cannot be invoked.
Scripts and Executables- user will be able to invoke any script or executable the user can get it.
Directory Browsing – Users can view file lists and collections.
Configure SSL for web sites
For secure communication over Internet, you need to enable SSL over web sites.
Certificates contain information used in establishing identities over a network, a process called authentication. Similar to conventional forms of identification, certificates enable Web servers and users to authenticate each other before establishing a connection. Certificates also contain encryption values, or keys, that are used in establishing a Secure Sockets Layer (SSL) connection between the client and server. Information, such as a credit card number, sent over this connection is encrypted so that it cannot be intercepted and used by unauthorized parties.
There are two types of certificates used in SSL:
Client certificates contain personal information about the clients requesting access to your site that allows you to positively identify them before allowing them access to the site.
Server certificates contain information about the server that allows the client to positively identify the server before sharing sensitive information.
SSL is an encryption methodology that relies on a server certificate to establish server identity.
Configuring FTP Services
Users Cannot Use File Transfer Protocol (FTP) with Web Server
i)Verify that the FTP Server Service Is Installed
1. Click Start.
2. Point to Settings.
3. Click Control Panel.
4. Click Add/Remove program.
5. Click Add/Remove Windows Components.
6. Click Internet Information Service (IIS).
7. Click Details.
8. Verify that the FTP Server check box is selected. If it is not selected, then click to select it.
ii)Verify the Permissions for FTP
You need to set write permissions on folders, so that one can upload documents to the server.
iii)Verify That the Default FTP Publishing Service Is Started
1. Right click the My Computer icon on the desktop, and then click Manage.
2. In the Computer Management dialog box, expand Services and Applications.
3. Double-click Internet Information Services.
4. Right-click the default FTP site.
5. Verify that the Default FTP Publishing Service is started.
Host Header Name
Microsoft Internet Information Services (IIS) permits you to map multiple Web sites with the same port number to a single IP address by using a feature called Host Header Names. By assigning a unique host header name to each Web site, this feature permits you to map more than one Web site to an IP address.
Controlling Web Site Access Through Authentication Methods.
If you require a user to log on to your site, you can set three types of authenticated access:
I) basic authentication
- The least secure but must accessible across a variety of browsers. Send passwords in clear text. Basic authentication needs to be used for all browsers that do not support Integrated Windows authentication.
ii)Digest Authentication- Works only for domains with a W2K domain controller. Need IE 5 and above. More secure. It uses a hashing algorithm to encrypt data sent between the browser and the server. This type of authentication works only on browser support the HTTP 1.1. Only IE4.x and IE5.x support this authentication method.
iii)Integrated Windows Authentication(IWA)-supports only IE 2.0 or later. IWA does not initially for user name and password. Instead, it checks the Windows logon currently in force on client's machine. Best suited in Intranet environment. Disadvantages-does not work through a proxy server.
Managing Data Storage
Disk quotas track and control disk space usage for volumes. System administrators can configure Windows to:
· Prevent further disk space use and log an event when a user exceeds a specified disk space limit.
· Log an event when a user exceeds a specified disk space warning level.
When you enable disk quotas, you can set two values:
· i) the disk quota limit.- The limit specifies the amount of disk space a user is allowed to use
· ii) the disk quota warning level.- The warning level specifies the point at which a user is nearing his or her quota limit.
Notes:
i)Quotas are set for individuals and not for groups.
ii)Quotas are set at the volume level (or partition) level.
iii) Quotas can only be applied at NTFS file system and not at FAT level.
iv)File compression does not affect quota statistics.
Implement and Configure Encrypting File System (EFS)
· Only files and folders on NTFS volumes can be encrypted.
· Only the user who encrypted the file can open it.
· Users cannot share encrypted files.
· Encrypted files can become decrypted if the user copies or moves the file to a FAT volume.
· Users must use copying and pasting to retain encryption when moving files into an encrypted folder. If using a drag-and-drop operation to move the files, files are not automatically encrypted in the new folder.
· System files and compressed files cannot be encrypted.
· Encrypting a folder or file does not protect against deletion. Anyone with delete permission can delete encrypted folders or files.
· Temporary files, which are created by some programs when documents are edited, are also encrypted as long as all the files are on an NTFS volume and in an encrypted folder.
· Users can encrypt or decrypt files and folders located on a remote computer that has been enabled for remote encryption.
· Data that is transferred over the network is not encrypted during the transfer. Other protocols, such as SSL/PCT or IPSec must be used to encrypt data over the wire.
· A recovery policy is automatically implemented when users encrypt a file or folder for the first time. This ensures that users who lose their file encryption certificates and associated private keys are able to use a recovery agent to decrypt their files. In summary, the file can only be decrypted by the user who encrypted the file and by a designated recovery agent.
· You can encrypt a file but you can't compress it at the same time. You can't have both.
You can also use a command-like tool called CIPHER.EXE to encrypt and decrypt files and folders.
To find out more on this command.
Just type Cipher /? at Command Prompt.
Click here for more info...
Manage a domain-based distributed file system (DFS)
A Distributed file system (Dfs) topology consists of a Dfs root, one or more Dfs links, and one or more Dfs shared folders, or replicas, to which each Dfs link points. Physically you can have the share point at different locations like one share point on a server and various sharepoints at other W2K Professional. However,logically it seems it comes from one share point.
The domain server on which a Dfs root resides is known as a host server. You can replicate a Dfs root by creating root shares on other servers in the domain. This provides file availability when the host server becomes unavailable.
To users, a Dfs topology provides unified and transparent access to the network resources they need.
You can create a Dfs root on Windows 2000 FAT or NTFS partitions. However, the FAT file system does not offer the security advantages of NTFS. When creating a Dfs root, you have the option of establishing either a stand-alone Dfs root or a domain-based root.
A stand-alone Dfs root:
· Does not use Active Directory.
· Cannot have root-level Dfs shared folders.
· Has a limited hierarchy. A standard Dfs root can have only a single level of Dfs links.
A domain-based Dfs root:
· Must be hosted on a domain member server.
· Has its Dfs automatically published to Active Directory.
· Can have root-level Dfs shared folders.
· Does not have a limited hierarchy. A domain-based Dfs root can have multiple levels of Dfs links.
Configure file and folder permissions
Configure Share folder permissions
The appropriate way to determine effective permissions to a resource is illustrated in the following steps:
1. Determine the effective share-level permission. The effective share-level permission will be the lease restrictive permission of all those assigned to a user or to a groups that the user is a member of. The exception is the denied permission which will override all other permissions.
2. Determine the effective NTFS permission. The effective NTFS permission will be cumulative of all the NTFS permissions assigned to the user and to groups that the user is member of. The exception is if there are any deny permissions assigned. Deny permissions will override Allow permissions.
3. The effective overall permission will be the most restrictive of the effective share-level permission and the effective and the effective NTFS permission.
Determining NTFS Permissions for Copied or Moved Files If you move a file from one folder to another folder on the same volume, the file will retain the original NTFS permissions.
If you move a file from one folder to another folder between different NTFS volumes, the file is treated as a copy and will have the same permissions as destination folder.
If you copy a file from one folder to another folder on the same volume or on a different volume, the file will have the same permissions as the destination folder.
If you copy or move a folder or file to a FAT partition, it will not retain any NTFS permissions.
Enable Web sharing
Web folders can be made accessible to any or all the web sites you have configured on your server; you are not restricted to only the default site. These folders will appear as virtual folders on your web site and will be accessible when a user types in addresses similar in format the following:
http://servername/webfolderalias.
Click here for more info...
Click here for more info...
Create and manage shared printers.
In Windows 2000 Server, the Add Printer wizard shares the printer and publishes it in Active Directory by default, unless you select Do not share this printer in the wizard's Printer Sharing screen. In Windows 2000 Professional, the Add Printer wizard does not share the printer automatically; you must select Share as to share and publish the printer
If you intend to share the printer with clients other than Windows 2000, you need to install the appropriate printer drivers for these clients on the print server. When clients on Windows NT 4.0, Windows 95, and Windows 98 connect to the printer, the system automatically downloads the correct driver to the client.
Printer permissions
Print- gives users the ability to print to the printer.
Manage Printers – not only give all rights of Print and Manage Documents. Gives ability to take ownership of the printer. Modify the properties of the printer.
Configure user account lockout settings
The account lockout policies are used to specify how many invalid logon attempts should be tolerated. You configure the account lockout policies so that after x number of unsuccessful logon attempts within y number of minutes, the account will be locked for a specified number of times or until the Administrator unlocks the account.
Configure user-account password length, history, age, and complexity.
Setting Password Policies
Policy-Description-Default-Minimum-Maximum
Enforce Password History
-Keep track of user’s password history-Remember 0 passwords-Same as default-Remember 24 passwords
Maximum Password Age-Determines maximum number of days users can keep valid password-Keep password for 42 days-Keep password for 1 day-Keep password for up to 999 days
Minimum Password Age-Specifies how long password must be kept before it can be changed-0 days (password can be changed immediately)-Same as default-999 days
Minimum Password Length-Allows you to install password filter-Disabled-Same as default-Enabled
Store Password Using Reversible Encryption for All Users in the Domain-Specifies higher level of encryption for stored user passwords-Disabled-Same as default-Enabled
Configure Group policy to run logon script.
Click here for more info...
Link Group Policy Objects
GPOs are linked to site, domain and OU containers in AD. The order:sites are first, then domains, and then each
OU.
A GPO can be associated with more than one Active Directory container or multiple containers can be linked to a single GPO.
The Group Policy tab in the site, domain, or OU's Properties page allow you to specify which Group Policy objects are linked to this site, domain or
OU. This property page stores the user's choices in two AD properties called gPLink and
gPOptions. The gPLink property contains the prioritized list of Group Policy Objects links and the gPOptions property contains the Block Policy Inheritance policy setting for domains or
OUs.
By default, only Domain Administrators, Enterprise Administrators, and the Group Policy Creator Owners,
can create New Group Policy objects. If you want a non-administrator or group to be added to create Group Policy Objects, the user or group has to be added to the Group Policy Creator Owners security group. The user then can edit the Group Policy Object that he has created.
Click here for more info...
Click here for more info...
Setting Up Auditing
• two part process
1.Set the audit policy. - Audit policy enables auditing of objects but does not activate auditing of specific objects.
2.Enable auditing of specific resources – You specific events to audit for files, folders, printers, and Active Directory objects. Files and folders to be audited must be on NTFS volumes.
Setting up Audit Policy
The first step in implementing an audit GPO is selecting the categories of events that Windows 2000 audits.
Account logon – A domain controller received a request to validate a user account.
Account management – An administrator created, changed, or deleted a user account or group. A
user account was renamed, disabled, or enabled, or a password was set or changed.
Directory service access – A user gained access to an AD object. You must configure specific Active Directory objects for auditing to log this type of event.
Logon events – To audit log on or log off
Object access- A user gained access to a file, folder or printer.
Policy change – A change was made to user security options, user rights, or audit policies.
Privilege use – A user exercised a right, such as changing the system time.
Process Tracking – Useful for programmers who want to track details of program execution.
System Events – A user restart or shut down the computer, or an event occurred that affects Windows 2000 security. All these events will be recorded.
Audit policy is implemented based on the role of computer in W2K network.
· For member or stand-alone servers, or computer running W2K Pro, an audit policy is set for individual computer.
· For domain controllers, an audit policy is set for all domain controllers.
Monitor security by using the system security log file.
Security log contains information on security events that are specified in audit policy. To view the security log, you use the Event Viewer console. Event Viewer allows you to find specific events within log files, filter the events shown in log files, and archive security log files.
Three types of log
Application log : contains errors, warnings or information that programs, such as a database program or an email program, generate.
Security log : Contains information about the success or failure of audited events.
System log: Contains errors, warning, and information that W2K generates. W2K presets which events to record.
Managing, Securing, and troubleshooting Servers and client computer hardware.
Verify digital signatures on existing driver files.
Sometimes when installing new software on your computer, system files are overwritten by unsigned or incompatible versions, causing system instability. The system files provided with Windows 2000 have a Microsoft digital signature, which indicates that the files are original, unaltered system files or that they have been approved by Microsoft for use with Windows 2000. Using File Signature Verification, you can identify unsigned files on your computer and view the following information about them:
· The file's name
· The file's location
· The file's modification date
· The file type
· The file's version number
To start File Signature Verification, click Start, click Run, and then type
sigverif.
Click here for more info...
Verify Hardware Compatibility
Click here for more info...
Configure Driver Signing Option
W2K supports a feature called Driver Signing. This allows vendors of products to send their drivers to Microsoft for testing.
An administrator gets to set one of the following policy options for driver signing:
i. Install the Driver, Signed or Not Signed.
ii. Warn When Installing Unsigned Drivers.
iii. Only Install Signed Drivers; Prevent Installation of Unsigned Drivers.
If you want to prevent other non-administrators from overriding your option, select the Apply Setting as System Default check box.
Configure operating system support for legacy hardware devices.
You should configure basicdc.inf on the W2K domain controller and compatws.inf in W2K Professional computer if you wish legacy application to run on server and client machines.
The basicdc.inf security template ensures that default W2K security is applied to domain controllers, but it does not implement security technologies that are not compatible with windows
98 and NT 4 workstation clients. The compatws.inf will loosen the default security restrictions- enable older applications to run on clients.
Troubleshoot starting servers and client computers. Tools and methodologies include Safe Mode, Recovery Console, and parallel installation
Interpret startup log file
Boot.ini - includes two sections, Boot loader and Operating Systems, that contain information NTLDR uses to create the Boot loader Operating System Selection menu.
Arc Path
multi(0)disk(0)rdisk(1)partition(2)\\Winnt=Windows2000 Server
multi(0) – refers to the IDE controller number, which starts from 0.
disk(0) – refers to the hard drive number for SCSI hard drives, which starts from 0.
rdisk(1) – refers to hard drive number for IDE hard drives, which starts from 0.
partition(2) – refers to partition number which is the system partition, and starts from 1.
In this case, the system partition is the second partition.
Click here for more info...
Repair an Operating system by using various start up option
1. Safe mode: allows you to boot an operating system with a minimum set of generic drivers including mouse (except serial mice), monitor, keyboard, mass storage, base video, default system services, and no network connections.
2. Safe mode with networking: adds networking capabilities to the basic safe mode.
3. Safe Mode with Command Prompt: starts W2K in a text mode instead of a GUI Mode.
4. Last Known Good Configuration: This allows you to recover from configuration changes that affect registry changes that affect Registry settings for devices (like installing an incorrect video driver or configuring it incorrectly) provides that you have not log on to locally to a W2K computer.
5. Emergency Repair Disk- Enables you to recover from Registry settings that render your system inoperable.
6. Windows 2000 Backup: For recovering other registry settings as well as user data, but also takes most time.
7. Directory Service Restore: It work sonly for W2K domain controller and NOT for a standalone server. You will restore all of the System State data that was backed up, including registry, the COM+ Class Registration database, system boot files, the SYSVOL directory directory, the Active Directory, and Certificate Services database (if the server is a certificate server).
Recovering an operating system by using Recovering Console.
If your system corrupt and it will not boot, you can use this option. Difference between this one and safe mode is safe mode requires server still be bootable.
Recovery console allows you copy files to or from your server. You can stop and start services like by typing DISABLE servicename.
The Recovery Console can be installed by typing winnt32.exe /cmdcons at the I386 folder of W2K operating system CD.
Parallel Installation
Technet: Q266465
Restore an operating system and data from backup(Non-authoritative restore)
If the last backup was performed a week ago, and the System State is restored non-authoritatively, any changes made subsequent to the backup operation will be replicated from other domain controllers.
That's exactly the meaning behind Non-Authoritative Restore. In that mode, any component of the System State that is replicated with another domain controller, such as AD service will be brought up to date by replication after you restore the data.
IRQL_NOT Less_OR_Equal Message
Click here for more info...
If you meet this type of message, you can use the Last Known Good Configuration.
Monitor and troubleshoot server health and performance. Tools include System Monitor and Task Manager
Performance Tool is used to get comprehensive performance information about the server or other computers on your network. System Monitor component of the Performance tool allows you to collect performance data about the server and compare it with other computers on your network. You can view data generated currently, or previously from log file. System Monitor is right tool for collecting and viewing real-time performance information on server such as memory, disk, processor, network, and other data.
Counter -Description
Processor\% Processor Time counter-To gauge the activity of processor. If processor constantly running at 90%, need to buy a faster processor.
Memory \The Available Bytes-Show amounts of physical memory. If number is more than 4 MB, considering to add more memory.
Memory\Commit limit-Shows the amount of virtual memory, in bytes, that can be committed without having to extend the paging file.
Memory\Pages/sec-Number of hard page faults occurring per second. If number more than 20, a bottleneck in memory.
Physical disk\Av. Disk Queue Length-Average number of read and write requests that are waiting in queue. This number should be no more than two. Larger than this number, there is a disk bottleneck.
Please note: You cannot use System Monitor to receive administrative alerts, instead you should use Performance Logs and Alerts snap-in in Performance console. The latter has a feature that detects when a predefined counter value rises above or falls below the configured threshold and notifies you using the Messenger service.
Task Manager
· tool provides information about programs and processes running on your computer. There are 3 tabs i.e. Application tab, Performance tab & Process tab.
Application tab shows the status of applications running on the computer. Use this tab to start programs, end programs or switch to other programs.
The process tab displays a list of running processes and measurements of their performance, such as total processor time or the amount of memory in use. On the Process tab, right-click the process you want to end, and then click End Process Tree.
For example, if you end the process tree for an e-mail program such as Outlook98, you will also end related processes such as mapisp32.exe, the MAPI spooler.
The Performance tab displays an overview of your computer’s current performance such as processor and memory usage.
Identify and disable unnecessary operating system services.
To provide maximum security,you have to disable unnecessary services running on computer.
Method: Open Services, right-click each service you want to disable, click properties, and select disabled under start up type.
Install and Manage Windows 2000 updates. Updates include service packs and hot fixes
The primary tool Microsoft uses to distribute updates to its operating systems is the service pack.
You can apply a service pack using the Update.Exe program and appropriate command-like switches.
The latest service pack 3 can be downloaded at the following site: Click here for more info...
Service packs can also be applied directly at installation using a process know as slip streaming. This involves copying the original installation files from the I386 directory to a network share and then copying the service packs files over installation files.
Click here for more info...
Hotfixes address a specific issue such as newly discovered security threat or performance issue. They do not go through rigorous testing like service packs. Occasionally Microsoft will consolidates all its hotfixes into a service pack.
Hfnetchk Tool
Hfnetchk tool is used to assess patch status for computers that are running Windows NT 4.0, Windows 2000, and Windows XP, as well as hotfixes for Internet Information Server 4.0 (IIS), Internet Information Services 5.0 (IIS), SQL Server 7.0, SQL Server 2000 (including Microsoft Data Engine [MSDE]), and Internet Explorer 5.01 or later.
Click here for more info...
Troubleshoot Groups. Considerations include nesting.
Under nesting, you can add a group as a member of another group. You can nest groups to consolidate group management by increasing the affected member accounts and to reduce replication traffic caused by replication of group membership changes.
Your nesting options depend on whether the domain is in native mode or mixed-mode. Groups in native-mode domains or distribution groups in mixed-mode domains have their membership determined as follows:
· Groups with universal scope can have as their members: accounts, computer accounts, other groups with universal scope, and groups with global scope from any domain.
· Groups with global scope can have as their members: accounts from the same domain and other groups with global scope from the same domain.
· Groups with domain local scope can have as their members: accounts, groups with universal scope, and groups with global scope, all from any domain. They can also have as members other groups with domain local scope from within the same domain.
Security groups in a mixed-mode domain are restricted to the following types of membership:
· Groups with global scope can have as their members only accounts.
· Groups with domain local scope can have as their members other groups with global scope and accounts.
Two main types of groups, you are able to be create in W2K directory services.
· Distribution groups- are generally collections of users, such as email distribution lists, cannot be used in discretionary access control lists to set security on an object.
· Security groups – can be used to group together users or to assign permissions to objects in the AD. These groups can also be used for email.
Configuring, Managing, Securing, and Troubleshooting AD Organizational Units and Group Policy.
Password policy and account lockout policy can only be applied at domain level. These two policies cannot be applied at OU and domain controller. If you really wish to have differ password policy or lockout policy, you need to create another domain and place all users at that domain.
Please note that domain policy doesn't cross domain. If you didn't link a GPO at parent domain level to a child domain, the policy will not applied to the child domain.
Click here for more info...
Delegation of Control Wizard
An organizational unit is the smallest scope to which you can apply a Group Policy or delegate authority.
Organizational units are logical containers into which you can place users, groups, computers, and other organizational units. It can contain objects only from its parent domain.
Recall that main reason of creating OU is to enable you to delegate authority for the OU to another user or group. This can be done by using the Delegation of Control Wizard available in Active Directory Users and Computers.
There are three ways to define the delegation of administration responsibilities:
· Delegate permissions to change properties on a particular container.
· Delegate permissions to create and delete objects of a specific type under an organizational unit, such as users, groups, or printers.
Illustration by Example:
If you wish to decentralize network administration and management by assigning particular members of your IT team to specific segments of AD hierarchy say departmental OU,you should assign Full Control permission for each departmental OU to particular IT personnel. It can be achieved by the following way:
1.Use Delegation of Control Wizard.
2.Right click the appropriate OU and choose delegate
3.Select the Create a custom task to delegate option.
4.In the permissions dialog box, select the Full Control checkbox.
· Delegate permissions to update specific properties on objects of a specific type under an organizational unit. For example, you can delegate the right to set a password on a User object.
Click here for more info...
Configure and Troubleshoot object permissions by using object access control lists (ACLs).
Let say you want to implement a group policy that will remove the Run... option on all your computers in your W2K native domain. Management has specified that the policy should apply to all of network users throughout the enterprise except for members of the Domain Admins security group. The said GPO named Start Menu.
What sort of changes should you make from the default permissions in the GPO in order to comply the requirement policy?
To meet the policy requirement, you should deny Apply Group Policy permission for the Start Menu GPO to the Domain Admins group.
Because members of the Administrators built-in domain local group, the Domain Admins global group and the Enterprise Admins universal group are all members of the Authenticated Users special group, every domain users will implicitly have the Apply group Policy permission for the Start Menu GPO by default.
To apply a GPO to all domain users except members of the Domain Admins group, you should set
he Apply Group Policy permission to deny for the Domain Admins group on the Security tab of the GPO Properties dialog box.
Click here for more info...
LostandFound Container
- stores objects that have been created in a container that no longer exists after replication.
Movetree.exe is a command-line utility that enables administrators to move Active Directory objects such as OU, users, and so on, between domains in a single forest.
During a MoveTree operation, objects moved, are initially copied to the Lost and Found container in the source domain, and then they are moved to the destination domain. Objects that cannot not be moved remain in an orphancontainer in the Lost and Found container in the source domain.
Click here for more info...
Troubleshoot end-user Group Policy
If you enable No Override in the parent policy, you force all child policy containers to inherit the parent’s policy, even if that policy conflicts with child’s policy and if Block Inheritance has been set for the child.
If you have not enabled No Override on a parent policy, you can set Block Inheritance option at child policy to block the parent policy from being inherited to the child.
In normal circumstance,if a policy setting that is configured for a parent OU is incompatible with the same policy setting that is configured at a child OU, the child does not inherit the policy setting from the parent. The policy setting in the child is applied.
Note:
Policies that are set No Override cannot be blocked.
It is recommended that No Override and Block to be used sparingly. Casual use of these advanced features makes troubleshooting more complicated.
Further readings on GPO
Click here for more info...
Click here for more info...
Deploy software by using Group Policy and Windows Installer
Three tools are provided with Windows 2000 server for software installation and maintenance.
Tools-Role
The Software Installation extension of the Group Policy snap-in-Used by administrators to manage software
Windows Installer-Installs software packaged in Windows Installer files
Add/Remove Programs in Control Panel-Used by users to manage software on their own computers.
Software Installation Extension
Software Installation works in conjunction with Group policy and Active Directory,establishing a group policy-based software management system that allows you to centrally manage.
o Initial deployment of software.
o Mandatory and non-mandatory upgrades, patches, and quick fixes for software. You can update a version of the software or replace it. You can even upgrade the operating system using service pack.
o Removal of software.
Configure Group Policy to assign and publish applications.
Using Software Installation, you can centrally manage the installation of software on a client computer by computer by assigning applications to users or computers or by publishing applications for users.
When you assign an application to a user, the application is advertised to the user the next time he or she logs on to a workstation. This application is installed is installed the first time the user activates the application on the computer, either by selecting the application on the Start menu or by activating a document associated with the application.
When you assign an application to the computer, the software will be installed the next time the computer starts up and will then be available to all users.
When you publish the application to users, the application does not appear installed on the users’ computers. The application is then available for users to install using Add/Remove programs in control panel or clicking a file associated with the application (such as an .xls for Microsoft Excel).
Please note in the exam that you cannot publish the application to computers, but you can only publish the applications to users. The same rule applies to Windows 2000.
You can find the setting at computer Configuration/administrative Templates or User Configuration/administrative Templates.
Zap files are used if do not have MSI files. They are used to install applications using their native setup programs.
Modifications (.mst files) are applied to Windows Installer packages (which have the .msi extension) in an order that is specified by the administrator. For example, Windows Installer can use a transform file to change the language in the user interface of an application.
Further Reading
Click here for more info...
Click here for more info...
Using the Secedit Command.
If you wish to impose group policy changes immediately upon a target workstation, you can use Secedit command-like tool by typing the command as follows on the domain controller on which you created the GPO:
Secedit/refreshpolicy machine_policy/enforce
Don’t use Secedit/refreshpolicy user_policy/enforce command as the group policy object settings (password policy) located within the “machine” node of relevant of relevant group policy objects.
Click here for more info...
Terminal Services
o got two modes:
o 1) remote administration mode
- designed to be used for remotely managing server.
o Only two concurrent logon access to Terminal Services-based server are allowed.
o Only members of administrator group with default permissions can log on to Terminal Server, but can add on other group.
Click here for more info...
o 2) Application server mode
- designed to host client sessions
- You need to install the Terminal Services License Manager on at least one computer.
- Not limited to two concurrent connections by non-administrators.
- Process of installation
Click here for more info...
When you connect to IIS computer that serving up Terminal Services web connection, you need to open up port 3389.
Click here for more info...
|
|
