MCSE Top-Rated Sites


 

STUDY GUIDE For MCSE Exam 70-221
Designing a Microsoft Windows 2000 Network Infrastructure

TCP/IP: This is an open, industry-standard, and routable protocol. It is required for many essential Windows 2000 network services such as DHCP, WINS, DNS, and Active Directory. TCP/IP should be used in heterogeneous environments and whenever Internet connectivity is called for as part of the design.

DNS: Domain Name Service - resolves fully qualified domain names (FQDN) to IP addresses. Allows network admins to assign “people-friendly” names to network resources. Windows 2000 Active Directory is based entirely on the hierarchical structure of the DNS namespace.

DHCP: Dynamic Host Configuration Protocol - used to dynamically assign Internet Protocol (IP) addresses to clients and reduce administrative overhead in managing and maintaining a TCP/IP-based network.

WINS: Windows Internet Name Service - a NetBIOS name service that resolves NetBIOS names to IP addresses in a Windows network. Required for Windows 3.11/95/98/NT4 clients that do not have the Active Directory client installed.

MS Proxy Server 2.0: This is a combination firewall/proxy server product that provides security by allowing organizations to control the exchange of data between the Internet and their private network. Can also be used to improve the performance of Internet access through its content caching features. It is extremely scalable and suitable for enterprise type deployment within an organization.

NAT: Network Address Translation – a protocol found in Routing and Remote Access Services (RRAS) in Windows 2000. Used to provide Internet connectivity in simple network environments where all machines are on a single subnet. Provides some security.

IP Routing: Windows 2000 RRAS supports both static and dynamic routing protocols. Connections over non-persistent links are supported through demand-dial routing.

Remote Access: Used to allow remote users access to a private network. Can include dial-up connections over the regular telephone system and also Virtual Private Network (VPN) connections over the Internet.

RADIUS: Remote Authentication Dial-In User Service - provides authorization, authentication, and accounting services for distributed dial-up networks. Used in conjunction with RRAS and IAS (Internet Authentication Service).

TCP/IP:

IP addressing and subnetting:

Public addressing schemes:

All hosts connected to the public Internet require a globally unique IP address. Any network connected to the Internet must have a minimum of one public IP address for connectivity. Used when the organization has a large number of hosts requiring direct Internet access and there is a sufficient pool of registered addresses to work from. Public addressing schemes are expensive and limit network growth as once all available addresses have been exhausted, no new devices can be added to the network unless more IP addresses are purchased.

Private addressing schemes:

Used when most hosts do not require direct Internet access and/or when there are insufficient public addresses available. Special ranges of addresses are used for private addressing which are not routable on the public Internet (see table below). This is the most inexpensive route to go and it provides nearly unlimited network growth.

A NAT device must be installed to pass traffic from the private network to the public network and vice versa. The NAT device must have one valid public IP address and one private IP address assigned to it.

Subnet limitations:

Analyze the network bandwidth to ensure it meets design considerations. If the current subnets are congested with traffic consider increasing the number of subnets.

In an IP-routed network you must consider the number of hosts in each subnet as well as the number of subnets. When the network is IP-switched you need to design for the number of WAN connections only.

Always allow for future growth when designing subnetting schemes.

Classless Interdomain Routing (CIDR):

Under supernetting, the classed subnet masks are extended (or made classless), so that a network address and subnet mask could, for example, specify multiple Class C subnets with one address. For example, if 1000 addresses are required, supernetting four Class C networks together will provide the necessary solution.

When supernetting an address range, treat all the classes of the addresses being combined into a subnet as Class A. Then use whatever method is preferable to determine the appropriate subnet mask.

Other design considerations:

Automatic Private IP Addressing (APIPA) is used for TCP/IP address configuration for hosts on a single subnet without a DHCP server. Allocated from 169.254.x.x/16.

Some IP traffic such as streamed multimedia is considered “time-sensitive” and requires that bandwidth is reserved for it.

Performance and availability considerations:

• Authentication, logon and encryption traffic are delay and latency sensitive. It may be necessary to place necessary services on both sides of a link exhibiting latency to prevent lag.
• Increasing the TCP/IP Receive Windows Size through a registry modification may help alleviate problems with network delay.
• If packet loss is high, check your network for router congestion.
• Combine IP ranges by supernetting. Proper use of supernetting reduces routing issues.
• Use variable length subnetting to divide IP ranges. The subnet mask is adjusted in a hierarchical fashion to accommodate a varying number of hosts in each subnet. Keep the number of routers in the hierarchy to a minimum. Routers that support RIP for IP v2, BGP, and OSPF will support variable length subnetting.
• Route cost metrics should be set equally when there is no cost difference between them.
• Higher cost metrics should be assigned to demand-dial links that are backups to less expensive persistent links.
• Place redundant links and routers between locations where high availability is needed. This improves bandwidth performance as well as availability.

Security considerations:

Packet filtering: Data and connection security is provided through TCP/IP packet-level filtering. TCP/IP filtering allows you to block inbound traffic to any address that does not appear on your exceptions list, limit traffic to dedicated servers, and filter at the application layer. IP packets can be filtered by their protocol type (except for IPSec, ICMP, IGMP, TCP and UDP) and TCP/UDP port number.

IPSec Overview: IPSec itself is a protocol, not a service. It consists of two separate protocols: Authentication Headers (AH) and Encapsulated Security Payload (ESP). AH provides authentication, integrity and anti-replay. It does not encrypt data, but is used when a secure connection is needed but the data itself is not sensitive. ESP provides the aforementioned plus confidentiality (data encryption). It is used to protect sensitive or proprietary information, but is associated with greater system overhead for encrypting and decrypting data.

IPSec can be implemented in a Windows 2000 domain using Active Directory or on a Windows 2000 machine using its Local Security settings. It is not available for Windows 95/98 or Windows NT.

Supported IPSec authentication methods are Kerberos v5 Public Key Certificate Authorities, Microsoft Certificate Server, and Pre-shared Key.

IPSec Key Exchange:

·         Preshared Keys – Uses a secret key that has been previously agreed upon by two users. They must be manually configured and are used on non-Windows 2000 standalone systems and systems that are not running Kerberos v5.

·         Public Key Certificates – Computers not running Kerberos v5 use them for authentication. It is preferable to use preshared keys when large numbers of systems are involved.

·         Kerberos v5 – Default in Windows 2000. Used for authentication with any clients in a trusted domain running this protocol.

NetBIOS over TCP/IP:

Computers in specialized roles, such as proxy servers or firewall bastion servers, should not have NetBIOS over TCP/IP installed. Windows 2000 allows administrators to disable this feature.

DNS: Planning a namespace:

In Active Directory, the namespace is based on DNS. You will need to plan your namespace if you choose to use multiple domains.

There are two types of namespace: Internal (used by Active Directory) and External (registered with Network Solutions for access from the Internet). When implementing AD, you can choose to use the same or different internal and external namespaces.

Using the same internal and external namespaces has the following two advantages: uses the same logon names both internally and externally (e.g. jdoe@justtoggs.com could serve as both the logon and e-mail ID) and uses the same tree name (e.g. justtoggs.com for example is consistent on both the internal network and public Internet).

Using the same internal and external namespaces results in a more complex proxy configuration and administrators must be careful not to publish internal resources externally. There is duplication of effort in managing resources (e.g., duplicate zone records). As well, users get a different view of internal and external resources even though the namespace is the same.

Using separate namespaces makes it easier to distinguish between internal and external resources, as there is no overlap or duplication of effort. This makes things easier to manage and proxy configuration much simpler. Disadvantages of using separate namespaces are that multiple names must be registered with an Internet DNS and logon names are different from e-mail IDs.

Design and interoperability considerations:

• Number of DNS clients per location? The number of clients determines how many DNS servers must be installed per location.
• How many locations in your organization? Typically at least one DNS server will be installed per location.
• Are there any pre-Windows 2000 DNS servers currently in use? Newer features in Windows 2000 DNS may not work with older Windows and UNIX DNS servers.
• Is Active Directory in use or planned in the future? Active Directory integrated zones are only available in Windows 2000 DNS servers (they reduce management overhead by using AD replication to copy the zone databases to all domain controllers).

In native mode WINS is not necessary. In mixed-mode DNS requests should be forwarded to WINS for NetBIOS name resolution. BIND servers see WINS and WINS-R record types as invalid. If mixing Windows and BIND, specify that WINS records do not replicate to BIND DNS servers.

For WINS resolution, use a delegated domain as a placeholder for WINS names. When there is a private and public DNS namespace, the WINS sub domain should reside in the private portion. Organizations using the same private and public namespace should place their WINS sub domain under the root of the organization.

Working with zones:

Traditional/standard:

The primary zone is the only type that has a read/write copy of the database (single master model). Only one primary zone is allowed, but there is no limit to the number of secondary zones (read only). If the server hosting the primary zone fails an administrator must intervene immediately to prevent disruption to network services. Traditional zones are completely compatible with BIND-based (UNIX) DNS servers.

Active Directory Integrated:

Required for secure DDNS. All domain controllers hold a read/write copy of the zone database file (multi-master replication). Since all DNS servers behave as primaries, the failure of a single server will not affect DNS updates (improves availability). Treated as primary zones by BIND-based DNS servers. Data from AD integrated zones can be replicated to other AD integrated zones or traditional secondary zones.

Reverse lookup zones can be AD integrated, standard primary or standard secondary. The rules listed above apply to reverse lookup zones as well.

Exposing resources to the Internet:

DNS queries from within your organization can either be forwarded to that organization’s ISP or to the Internet’s root DNS servers.
Incoming queries from the Internet can be resolved on an organization’s behalf by their ISP (recommended only if resource names aren’t changed often) or by a DNS server maintained by the organization in a screened subnet (use when resource names change frequently).

Place the primary zone inside the organization’s firewall and place the secondary zone (read-only database) inside the screened subnet to prevent unauthorized changes to the DNS database. Do not place an AD integrated zone in the screened subnet as it could jeopardize the security of your AD information.

The public DNS server should contain only those records necessary to do its job. Placing a complete zone database on the machine could expose private information for servers inside the corporate firewall and will also degrade the machine’s performance.

Performance and availability considerations:

With AD-based DNS servers, simply add more DNS servers as needed to handle traffic. With traditional DNS zones, add secondary zones or delegated domains to increase performance. Delegated domains contain a subset of the domain namespace
(e.g., sales.justtoggs.com is a subset of justtoggs.com).

Incremental zone transfers (IXFR) place less of a burden on the network than full zone transfers (AXFR) – use them whenever possible. Fast zone transfers compress replication data, but are not supported by older versions of BIND. Schedule replication to take place during off-peak hours when possible, to avoid network congestion.

A caching DNS server simply resolves requests and caches data from resolved requests until its TTL expires. They can be used to reduce traffic across low-speed WAN links where resource information changes infrequently and insufficient bandwidth for zone replication traffic.

Network Load Balancing redundant DNS zones spread a traffic load across multiple servers. Use when the amount of time it takes to resolve queries has become unacceptable, when DNS traffic exceeds the capacity of a WAN link at a remote location, or when the connection between the two DNS servers supports the extra replication traffic.

Use MS Cluster Service to increase availability (local servers only: remote servers cannot be clustered). Clustered servers should share a cluster drive so that both nodes have access to the most recent zone database file. Failed servers can be restored more quickly from a cluster drive, as there is no need to resynchronize.

Security considerations:

Secured updates are only available with AD integrated zones. Use them to prevent impersonation of servers when using DDNS. Permissions can be assigned to a group, computer or user account. W2K clients can directly update DNS records but this should only be done if:

1.       It does not create a security risk

2.       The client station has a static IP address, and

3.       It does not create unacceptable management overhead in terms of managing permissions.

Having a DHCP server perform DNS updates is more secure, reduces the headache of managing permissions, and should be used with non-Windows 2000 clients (as they cannot automatically update the DNS).

Encrypt replication data using VPN and IPSec for additional security. Using AD integrated zones provides further protection, as they will not replicate to other AD zones that are not registered with Active Directory.

Firewalls should be configured to permit only DNS queries from the Internet and zone replication traffic only from the private network.

DHCP: Design considerations:

Is the network switched, routed, or a combination of both? Consider the location of broadcast domains and the placement of DHCP Relay Agents to forward lease requests through routers that do not accommodate BOOTP/DHCP forwarding.

When using a single DHCP server, place it on the subnet with the highest population of clients – the other subnets will use relay agents or BOOTP/DHCP forwarding on their routers. Use multiple DHCP servers for a geographically dispersed network, low speed WAN links, or dial-up users.

To what extent have non-Microsoft hosts been deployed through the organization? They may cause problems by not recognizing MS-specific vendor options like default router metric base, which provides a base cost for default gateways to the client. Diskless workstations (BOOTP clients) are becoming increasingly popular but are not properly supported by NT4’s DHCP server. BOOTP clients should be placed in the same broadcast domain as a W2K DHCP server that has been updated to support RFC 951-compliant devices.

Performance and availability considerations:

Increase DHCP lease length when network traffic is a concern. The longer the lease, the lower the traffic.

When working with a small pool of IP addresses, decrease lease length to make greatest use of your addresses. This has the side effect of increasing network traffic. Windows 2000 clients can be configured to give up their lease at shutdown.

Using distributed scopes with multiple servers in remote locations increases availability in the event of a server failure. Allocate between 50 – 80 percent of an IP address scope to a server on the local subnet and the remainder to a remote server. When the server on the local segment goes down, the remote server can continue allocating addresses.

Implement vendor classes when there is a need to provide similar DHCP options to like groups of clients. User classes are used when specific groups of users have different DHCP configuration options than other groups within the company.

Windows Clustering increases availability by providing automatic failover if the primary node goes down and failback when the downed server comes back online. Clustering is only available to locally placed machines with a persistent high-speed link.

Network Load Balancing is not an option with DHCP.

Security considerations:

Placing a DHCP server outside of your firewall or inside a screened subnet poses a security risk since a valid IP address could be allocated to an unauthorized client (allowing access to network resources). Minimize the security risk by extending lease times (this reduces the chance of an IP address being captured), using the smallest possible address range to meet your needs, and manually reserving/mapping addresses to the MAC addresses of specific clients.

WINS: Design considerations:

Is the network switched, routed, or a combination of both? Consider the location of broadcast domains and the placement of WINS proxy agent to forward broadcast traffic across routers.

The advent of DDNS in Windows 2000 has obviated the need for WINS, except in networks that are running pre-W2K domain controllers. WINS should be installed when there is a need to provide NetBIOS name resolution services while reducing the amount of related NetBIOS broadcast traffic.

Non-WINS clients are supported by installing WINS proxy agent (recommended), static WINS entries (next best), or LMHOSTS entries (most work). To avoid changing hundreds (or thousands) of LMHOSTS files whenever a resource is added or removed, use the #INCLUDE statement to reference a centrally managed LMHOSTS file.

Performance and availability considerations:

Replication across WAN links should be scheduled in off-peak hours. The frequency of replication can also be controlled.

The best replication convergence times are provided by a hub and spoke model. Aim for persistent high-speed connections between replication partners whenever possible. Push- or pull-only relationships should be avoided (except for slow WAN links) when planning for WINS replication.

For remote servers use push/pull WINS replication. Local servers can be clustered for high availability.

Security considerations:

When a WINS server is placed outside a firewall or inside a screened subnet, use pull only replication from its partner. This replication traffic should be encrypted using VPN tunnels or IPSec.

MS Proxy Server 2.0:

Design and interoperability considerations:

A special install wizard has been released to upgrade a Proxy 2 installation so that it is compatible with Windows 2000.

If there is a need to reduce private network traffic within an organization then consider implementing Proxy 2 with its Web object caching. Its firewall capabilities can also be used to create screened subnets inside a private network to secure data.

A proxy server at the edge of the private network isolates it from the public network and secures confidential data. It can also reduce traffic on the outbound connection by caching frequently requested Web objects.

An organization with insufficient public IP addresses can assign one valid public IP to the proxy server and have it service thousands of clients which are using private, non-routable addresses instead(acting as a proxy on their behalf).

Internet Explorer 5.0 is all that is required for HTTP and FTP traffic. Install the WSP client for any Windows-based Internet application that uses wsock32.dll or NWLink (32-bit only). For UNIX and Macintosh clients, SOCKS4 compatible applications are supported (SOCKS4 supports TCP but not UDP).

Performance and availability considerations:

Active content caching makes the most commonly requested objects available in the cache automatically. It will go out and retrieve objects on its own during low traffic periods if needed. Active caching conserves hard drive space but is more CPU intensive. With passive caching, objects are retrieved when requested by a client and stored in the cache until their TTL expires. Passive caching uses less CPU time but more hard drive space than Active caching.

Multiple servers can be configured as a proxy array for fault-tolerance. If an array member goes down, the remaining servers pick up the slack. As the Web content cache is spread amongst the array, the cache is lost only on the machine that fails. Setting up multiple proxy servers for Network Load Balancing provides all three machines with a single IP address used by clients making requests.

Security considerations:

When your proxy server belongs to an Active Directory domain you can assign access permissions to users and/or groups. In a heterogeneous environment install Services for UNIX, CSNW, and/or Services for Macintosh to provide access for non-Windows clients.

Proxy can also be installed on a stand-alone computer and access granted (or denied) through its local users and groups. The guest account would only be enabled when it is desirable to have anonymous access to resources.

When designing hierarchical screened subnets, the broadest security belongs at the top of the hierarchy and becomes stronger as you move lower. (e.g. Management has lax security where as the Research division has very strong security).

Packet and domain filtering provides the ability to completely restrict traffic by protocol, IP address, domain, user, group, and computer.

Web publishing allows for placement of a single Web server behind a firewall. This increases security, since the proxy server fetches requested pages on behalf of the client and returns them (acting as a Web server). This hides the identity of the real Web server and protects it from attack.

NAT:

Design considerations:

NAT is only appropriate for non-routed network environments where all users have the same access privileges but where private addressing for all computers is required.

A DHCP server is not required, as NAT will automatically assign IP addresses to machines capable of acting as a DHCP client. NAT should not be installed on a machine that is running DHCP, as they both use the same port (or a machine configured for DDNS).

A DNS proxy is included in NAT to forward name resolution queries to a DNS server belonging to the organization or one belonging to its ISP.

Security considerations:

VPN (PPTP) connections can be used whenever remote users need access to resources on a private network or whenever remote resources need to be secured on a user-level basis. Both outbound and inbound connections are supported.

By default, all computers behind NAT are inaccessible from the Internet. If access to the private network is given to a single IP address, you must define its port mappings within RRAS. This is not necessary when using multiple addresses reserved in an address pool, since all IP ports are open unless specifically filtered in RRAS.

Routing:

Protocols:

RIP is used when it is desirable to reduce the management overhead caused by maintaining static routes. It should be used if frequent changes to routing information occur, demand-dial interfaces are used, the existing routers use RIP, and there are no more than 14 hops between routers.

Design considerations:

For router placement, consider the following questions

·         Do you need to logically segment the network (create subnets) to isolate traffic?

·         Are dissimilar network topologies (ATM, ISDN, Token Ring, and Ethernet) being connected?

·         Does the organization require the creation of screened subnets (packet filtering) to secure confidential data?

·         Are connections persistent (higher availability and data rate) or demand-dial (you will have to set persistence for these), which will invariably add to its operating cost?

Routers placed at the edge of a network (between the Internet and the private network) can provide firewall type security when packet filtering is enabled.

Static routing is an option when it is desirable to reduce overhead (generated by dynamic routing protocols such as RIP and OSPF) or to increase security (by preventing transmission of routing tables). It should be avoided when it generates unacceptable management overhead because of the number of resources or the frequency of changes. Routes for demand-dial interfaces must be manually added as neither RIP nor OSPF support them.

Remote Users:

Design considerations:

VPNs:  A Virtual Private Network (VPN) is an extension of the physical network. Rather than restricting the network to local cabling, VPN uses the Internet as a segment backbone. VPNs are used by organizations that have a need for members to access private network resources via the Public Internet.

Dial-up Access: Used when the security risk from allowing access the private network via a VPN tunnel from the public Internet is unacceptable. RRAS support the MS RAS protocol (NetBIOS only) and PPP, but not SLIP.

PPP also support the following WAN technologies:

·         PSTN (Public Switched Telephone Network)

·         ISDN (Integrated Services Digital Network)

·         X.25 and X.25 PAD

RRAS integrates with the following W2K network services (reduces management overhead):

·         RADIUS – allows centralized administration of remote access policies, distributed client authentication in a heterogeneous network, and authentication/accounting logging from multiple remote access servers.

·         DHCP – IP addresses can be allocated to remote access clients.

·         DNS – remote access clients can register their dynamic IP addresses with the DNS server.

·         Active Directory – remote access policies can be administered through AD in a W2K native-mode network.

Client/server dial-up designs should specify:

·         Which users will be granted remote access,

·         Remote access policy restrictions by user or group, and

·         How many adapters, phone lines, modems, and ports are needed to support client connections.

Choose VPN as part of a network design when:

·         Access to the private network via the Internet is an acceptable security risk.

·         The variability of Internet bandwidth is not a concern.

·         The organization’s Internet connection supports the projected aggregate bandwidth of the maximum number of concurrent remote access client connections.

Security considerations:

Restricting access on a private network:

The following client access restrictions can be placed upon remote users:

·         Access is confined to RAS server only (set by server, not by user).

·         Static routes are defined only to specific subnets where access is granted (can be set by user or server policy).

·         Access is permitted to all resources on the routed network (this can only be set by server, not by user).

Place a VPN server outside the firewall when:

·         Confidential data is protected behind the firewall and the only access through the firewall is strictly limited to the VPN server,

·         Allowing access to the complete range of VPN IP address through the firewall poses an unacceptable security risk, and/or

·         It will not compromise the integrity of the network design’s security to expose the VPN server directly to the Internet.

RADIUS: Overview:

Internet Authentication Service is Microsoft’s implementation of the Remote Authentication Dial-in User Service (RADIUS). RADIUS and IAS together perform centralized connection authentication, authorization, and accounting for dial-up and virtual private network (VPN) remote access and for router-to-router connections. Used in conjunction with RRAS , they enable single- or multiple-vendor network remote access.

Design considerations:

Place RADIUS clients as near as possible to remote users creating a local point-of-presence (POP - reduce/eliminate dial-up costs), reducing administrative overhead by delegating administration to local network admins in the same region, and reducing the risk of confidential data being exposed.

RADIUS servers should be placed as close as possible to the server that provides remote user account authentication. This localizes traffic, keeping it within the same private network and helps prevent unauthorized access to the user account database.

Managing Network Services:

Reactive and proactive response strategies:

Reactive responses occur after an event notification. Proactive responses happen before the problem really becomes a problem.

Combining Network Services:

The most common obstacle to combining services on a single computer is hardware resources. The trick is to recognize which services use which resources and combine them properly so that all resources on the machine are fully utilized (e.g., combining a CPU intensive service with a RAM intensive services).

Hardware Resources:

Also, the presence of certain applications running on a system may preclude combining certain services because of resource issues or other conflicts (e.g. NAT and DHCP cannot be combined on the same server as they use the same ports).

With DDNS, the DHCP service performs frequent DNS updates. If the services are on separate machines, network traffic is generated whenever updates are performed.

 The layout of physical networks may also prevent the combination of services.

Combining with clustering services:

DHCP and WINS are cluster-aware services and automatically store critical data on cluster-based drives. These services will automatically failover when the primary system in the cluster goes down. Always make sure that cluster-aware services are set up for automatic failover.

Security considerations:

Services that define screened subnets (Proxy Server 2.0 and RRAS) should be isolated. When these computers connect to the public Internet, only those services required to create the screened subnet should be combined.