MCSE Top-Rated Sites


 

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Managing DHCP:

DHCP (Dynamic Host Configuration Protocol) allows you to dynamically distribute IP addresses and all associated configuration data through an open standard. DHCP clients are given leases to define the amount of time their address information is valid. Every client automatically attempts to extend the lease when half the time of the lease has expired. If it fails, it keeps trying for the duration of the lease.

DHCP does not only issue addresses from the address pool/scope, but also issues lease information and other IP configuration data (default gateway, subnet mask, etc.). DHCP is installed as a service on Windows Server 2003 through the use of wizards that follow the networking services subcomponent of the Add/Remove Programs applet.

A scope is a range of IP addresses that can be issued to DHCP clients on a single subnet by the DHCP server. Only one scope can be created for each subnet, and a single DHCP server can manage several scopes.

DHCP scopes are created with the New Scope Wizard, which also allows you to add exclusions, configure the router, define Domain Name and DNS Server options, and specify WINS settings. After installing the DHCP service, you gain the DHCP snap-in and must define at least one scope on the server. Only one scope can be created for each subnet.

A red arrow on the icon of a DHCP server indicates that it is not authorized. Once the DHCP server is authorized, the arrow changes to green.

MADCAP (Multicast Address Dynamic Client Allocation Protocol) works like DHCP, but is used to issue multicast addresses only. Multicasting involves sending a message to a select group of recipients through the use of class D IP addresses. This is useful for conserving bandwidth. If you need to send a data packet to 300 out of 600 users, for example, you need to send it only once (to the class D address) rather than the 300 times unicasting would require. Multicast addresses must fall within the Class D range of 224-239.

DHCP servers can be configured to use DDNS (Dynamic DNS) at the scope level or server level. The DHCP snap-in enables you to manage and monitor DHCP. For example, you can work with the database files, remove leases, and modify scopes.

NAT interfaces define connection properties for network address translation. They define what constitutes the internal network and what constitutes the external network. NAT translates between two different networks, allowing you to have a private scope internally and still communicate with the Internet.

Utilizing NAT, only one machine (the NAT) needs to have a valid IP address for the Internet; all the internal clients can have private addresses (10.0.0.0 for Class A, 172.16.0.0. for Class B, 192.168 for Class C).

Windows Server 2003 includes the following NAT editors: FTP, ICMP, and PPTP. Configuration of NAT (Network Address Translation) is done through the Routing and Remote Access MMC snap-in (meaning that RRAS must be activated before NAT can be employed).

Internet Connection Sharing (ICS) is a service that allows you to provide automated demand-dial capabilities on a small network, such as a home office. This can be used for any number of processes, including DNS Proxy, DHCP, and NAT.

Managing DNS:

DNS is a server service consisting of a hierarchical, distributed database with built-in redundancy and caching capabilities. DNS translates domain names into IP addresses. When a DNS server cannot resolve a query, it moves (escalates) it up to a root server that is authoritative for a zone. DNS queries can be either recursive or iterative.

DNS is installed as a service within Windows Server 2003 through the use of wizards. If you have installed Active Directory (via the Active Directory Installation Wizard) but cannot find a DNS server, the ADI wizard will attempt to install the DNS service for you. DNS management can be performed with the DNS Manager snap-in.

DNS monitoring can be done with the Performance tool on counters such as Caching Memory, IXFR Counters, TCP/IP, and Zone Transfer. DNS uses resource records to perform translations. Resource records are entries in the zone database file; each resource record identifies a particular resource within the database.

If necessary, you can manually add resource records into DNS through the DNS snap-in.

Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS. Whenever a client interacts with DHCP (new lease, renewal, etc.), the fully qualified domain name (FQDN) of the client is registered with DNS through the DHCP server. This registration can be done manually using the REGISTERDNS parameter with the IPCONFIG.EXE utility.

DNS zone transfers can be all (AXFR), or incremental (IXFR). The caching-only server does not have a copy of the zone table and is used merely to speed up client queries by storing the results of cached queries.

Round robin is a method of load-balancing DNS servers by rotating type A resource records.

Configuring a zone for dynamic updates within the zone properties dialog box (obtainable from the DNS Management Console) allows DNS clients to update their resource records dynamically with the server anytime a change occurs. This can be enabled or disabled on a per-zone basis. With an Active Directory Integrated zone, you can store DNS resource records in AD naming contexts to simplify zone replication.

The DNS root name server of a domain is the name server that is acting as the Start of Authority for that zone. The first division of DNS is into domains. The InterNIC (Internet Network Information Center) controls top-level domains (com, edu, etc.). Stub zones contain SOA and NS records, as well as A records for name servers.

A DNS client is any computer that can query a DNS server (through a resolver). A resolver is the DNS client program that is used to query DNS name information. A DNS server is any computer running the DNS Server service. DNS servers perform name-to-IP mapping and attempt to resolve client queries.

FQDNs (fully qualified domain names) specify the host name, the domain or subdomain to which the host belongs, and any domains above that in the hierarchy until the root domain in the organization is specified. The FQDN is read from left to right, with each host name or domain name separated by a period.

Network Security:

Event Viewer – the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System – which contains information about services and drivers that fail to start -  and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.

Common TCP ports to allow/deny include:

         FTP (data)

         FTP (session)

         Telnet

         SMTP

         HTTP

         POP3

         IMAP

TCP/IP packet filters can be used to prevent types of packets from reaching your network server. These are configured through the Advanced button on the TCP/IP protocol properties. Filters can be set for TCP, UDP, or IP protocol numbers, and can be universal (for all adapters) or individual. The filter can accept, deny, or accept within specified conditions (always respond using IPSec, use Perfect Forward Secrecy, etc.).

IPSec is used to negotiate the secure connection utilizing DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES). IPSec is used to secure packets between two hosts and cannot be used locally, whereas EFS is used locally and does not encrypt data on a network.

Only one IPSec policy can be in use at a time. All policy settings can be made using wizards. IPSECMON.EXE can be used to monitor and troubleshoot operations.

The IP Security Policy Management MMC console is used to manage IPSec. To create a new policy, right-click the IP Security Policies folder for the popup menu that contains the New IP Security Policy option.

Managing Routing and Remote Access (RAS)

RRAS routing is installed/configured through the RRAS MMC snap-in by right-clicking on the server and choosing Configure and Enable Routing and Remote Access on the popup menu. This starts the RRAS Setup Wizard.

The three types of remote access permissions available to a user are:

         Allow access

         Deny access

         Control access through Remote Access Policy

When a user dials in, you can choose to verify caller-ID, assign a static IP address to the connection, and/or apply static routes.

RRAS includes support for RIP for IPX and SAP for IPX. RRAS supports the following protocols: AppleTalk, IPX, NetBEUI, and TCP/IP.

An individual host can have its data packet sent in one of the following three ways:

• By looking at the default gateway address in the IP configuration
• By using Internet Control Message Protocol (ICMP) redirects to find a route to a destination host
• By listening to traffic between routers utilizing RIP (Routing Information Protocol) or Open Shortest Path First (OSPF)—known as dynamic routing.

Monitoring remote access is done through counters in the Performance utility; the RRAS MMC console can be used to configure incoming connections and other features.

Remote Access Dial-in Profiles allow you to define the following:

         Dial-in Constraints

         IP Address Assignment Policy

         Multilink (aggregation of multiple analog phone lines through multiple modems for greater bandwidth)

         Authentication

         Encryption (No Encryption, Basic or Strong)

Remote Access Dial-in Profiles can be configured and govern security in much the same way group policies do.

A remote access policy defines actions that can be undertaken for a user or group of users who connect remotely. They can employ specific authentication and encryption methods.

IAS (Internet Authentication Service) can be used to enforce (through policies) issues such as: RADIUS clients allowed, incoming phone numbers to accept, the type of media used to establish the connection, user membership in security groups, and the time of allowed access (day, hour, etc.). With RADIUS, all authentication requests heard by a server are sent to a RADIUS server for approval/denial. RADIUS is an open standard.

IAS is used for centralized administration and to enforce access policies. It works with PAP, CHAP, MS-CHAP, and EAP. IAS is useful for centralized auditing, scaling systems for growing demand, monitoring usage remotely, and working with a graphical interface through an MMC snap-in.

Remote Access Authentication Protocols:

CHAP - (Challenge Handshake Authentication Protocol) - uses the industry standard MD5 1-way encryption scheme to encrypt the response.  Highly Secure.

EAP (Extensible Authentication Protocol) - Client and server negotiate the Authentication method to include MD5 username and password encryption, smart-cards, token cards, retina or fingerprint scanners and other third party authentication technologies.

MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)- 1-way encrypted password.  This is enabled by default on a Windows Server 2003 running RAS.  Highly Secure. This differs from CHAP in that client communication must be between two Microsoft operating systems.

MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol v2)- Strong encryption.  Windows clients use this by default for dialup networking (also known as DUN).  Windows 2000,NT4 and Win98 clients use this by default for VPN.  Highly Secure. Version 2 differs from version 1 primarily in that two-way (mutual) authentication is implemented in version 2.

PAP (Password Authentication Protocol) - uses clear text passwords. Provides little security.

SPAP - (Shiva Password Authentication Protocol) - more secure than PAP, it is uses to connect to Shiva LANRover. Medium Security.

A virtual private network (VPN) is an extension of the physical network. Rather than restricting the network to local cabling, it uses a public network (i.e. the Internet) as a segment backbone.

Windows Server 2003 uses two main encryption protocols with VPNs (virtual private networks): MPPE is used with PPTP, and IPSec, an open protocol suite that relies on L2TP, is used to encrypt user names, passwords, and data. Connections are configured to use MPPE (running with PPTP) or IPSec (running with L2TP) through the Network and Dial-up Connections applet.

PPPoE (Point to Point Protocol over Ethernet) support is built into Windows Server 2003, as is an integrated firewall, 802.1x (wireless security) and IPv6 support.

Network Infrastructure:

Network Monitor is a subset of the fuller version in SMS. It can be used to capture real-time activity, to create filters, and to view and save data to a file.

System Monitor – an ActiveX tool that can graphically display performance of various real-time statistics. Within it, the workstation is divided into a number of different objects, and each object is divided into one or more counters. System Monitor appears on the Performance tool (Start – Programs – Administrative Tools – Performance) and it is the primary performance tool for the system. Performance Logs and Alerts enables you to record data to create and compare with a baseline (to get a long-term look at how the system is operating) or send administrative alerts when thresholds are reached.

Optimal performance from a system is what you are always striving for. Optimal performance is attained when a system is running (processing, responding, and so on) as fast as it possibly can, given the resources available to it.

TCP/IP utilities to know for network performance:

ARP - Address Resolution Protocol - displays a cache of locally resolved IP addresses to Media Access Control (MAC) addresses. 

Finger - Retrieves system info from a remote computer that supports the TCP/IP finger service.

FTP - File Transfer Protocol - provides file transfers between TCP/IP hosts with one running FTP software.

Hostname - returns the local computers host name.

IPCONFIG - Verifies TCP/IP information.  with the “/all” switch, it will give DHCP, DNS and WINS addresses.  WINIPCFG is the utility used in place of IPCONFIG on Win9.x workstations. The /DISPLAYDNS, /FLUSHDNS, and /REGISTERDNS options are used to directly interact with Domain Name Service variables.

LPD - Line Printer Daemon - Services LPR requests and submits print jobs to a printer device.

LPQ - Line Printer Queue - Obtain status of a print queue on a host running the LPD Service.

LPR - Line Printer Remote - Prints a file to a host running the LPD Service.

NBTstat - Checks the state of current NetBIOS over TCP/IP connections, updates LMHOSTS cache, determines registered name.

Netdiag – Tests the network functions and provides a report of the results.

Netsh – Network Shell.  This utility can be used to interact with most services from the command-line.

Netstat - Displays Protocol statistics and the current state of TCP/IP connections. The –a option is used to see all information.

NSlookup - examines entries in the DNS database pertaining to a particular host or domain.

Pathping –acts as combination of ping and tracert. It sends echoes requests out and identifies the host that hears them.

PING - Packet Internet Groper - Verifies that TCP/IP is configured correctly and that another host is available.

REXEC - Remote Execution - Runs a process on a remote computer.

Route - views or modifies the local routing table.

RSH - Remote Shell - runs commands on a UNIX host.

Telnet - Provides Terminal Emulation to a TCP/IP host running Telnet server software.

Tracert - verifies the route used from the local host to the remote host. This is superior to PING in that it also shows the route taken to reach the remote host