MCSE Top-Rated Sites


 

Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Server Roles:

There are four different versions of Windows Server 2003 available:

1.      Web edition – which supports one or two processors

2.      Standard Edition – which supports two processors

3.      Enterprise Edition – will support up to 8 processors

4.      Datacenter Edition – can work with up to 32 processors

Each of these operating systems must be “activated” (with the exception of volume license versions) in order to be usable. This is intended to provide copy protection and prevent piracy. Aside from the different versions, there are a number of different roles that a server may play as well. The “role” of the server is to offer a service (one or more) to the network.

The role can be Active Directory related (Domain controllers) or purely service-oriented. Within those that are Active Directory related, there are five FSMOs (Flexible Single Master Operations) roles:

1.      PDC (Primary Domain Controller) emulator – used for backward compatibility

2.      RID (Relative ID) Master  - holds the pool of ID numbers to be used

3.      Infrastructure Master – handles updates and name changes

4.      Domain Naming Master – by default the first domain controller in a forest

5.      Schema Master – oversees all schema operations

The primary domain controller performing one of these roles is known as the role master. Microsoft recommends the PDC emulator and RID master be kept on the same domain controller, and the Domain Naming Master be stored on a Global Catalog server.

Server Security:

Event Viewer is the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System – which contains information about services and drivers that fail to start -  and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.

It is highly recommended to put users into groups and give permissions to the groups.  In Windows Server 2003, the following types of groups exist:

·        Machine local

·        Domain local

·        Global

·        Universal

·        Builtin – these are Domain local groups that exists for compatibility with Windows NT. Be default, the following groups are found on all Windows Server 2003 systems: Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Print Operators, Remote Desktop Users, Replicator, and Users. These built-in users and groups cannot be deleted.

Windows Server 2003 includes GPUPDATE – a new utility that replaces SECEDIT switches for group policy updates. SECEDIT still exists in 2003, but it is now used only for applying changes and reporting on them.

Network Infrastructure:

NAT interfaces define connection properties for network address translation. They define what constitutes the internal network and what constitutes the external network. NAT translates between two different networks, allowing you to have a private scope internally and still communicate with the Internet. Windows Server 2003 includes the following NAT editors: FTP, ICMP, and PPTP.

Internet Connection Sharing (ICS) is a service that allows you to provide automated demand-dial capabilities on a small network, such as a home office. This can be used for any number of processes, including DNS Proxy, DHCP, and NAT.

System Monitor is an ActiveX tool that can graphically display performance of various real-time statistics. Within it, the workstation is divided into a number of different objects, and each object is divided into one or more counters. System Monitor appears on the Performance tool (Start – Programs – Administrative Tools – Performance) and it is the primary performance tool for the system. Performance Logs and Alerts enables you to record data to create and compare with a baseline (to get a long-term look at how the system is operating) or send administrative alerts when thresholds are reached.

Optimal performance from a system is what you are always striving for. Optimal performance is attained when a system is running (processing, responding, and so on) as fast as it possibly can, given the resources available to it.

TCP/IP:

TCP/IP addresses can be assigned manually to each host, or leased to them through the use of a DHCP server. The addresses must be unique within the realm the host communicates. If the host only communicates locally, then the address need only be unique locally; if it directly communicates across the Internet, then the address must be unique within the world.

The first octet identifies the class of network, with the following being valid entries:

Addresses cannot consist of all zeros, or all ones, and the entire 127 domain is reserved because 127.0.0.1 is set aside as the “loopback” address.

To configure TCP/IP on a host, you need only three values with one being that of default gateway (the other two are IP address and subnet mask). The default gateway is the IP address of the router all data not intended for this network should go to.

A subnet mask divides the total number of hosts available for one network into a smaller number available for a number of networks. The subnet mask value is based upon the class of  network you have. Default values by class, and the maximum number of hosts are:

DHCP (Dynamic Host Configuration Protocol) allows you to dynamically distribute IP addresses and all associated configuration data through an open standard. DHCP clients are given leases to define the amount of time their address information is valid. Every client automatically attempts to extend the lease when half the time of the lease has expired. If it fails, it keeps trying for the duration of the lease.

DHCP does not only issue addresses from the address pool/scope, but also issues lease information and other IP configuration data (default gateway, subnet mask, etc.). DHCP is installed as a service on Windows Server 2003 through the use of wizards that follow the networking services subcomponent of the Add/Remove Programs applet.

A scope is a range of IP addresses that can be issued to DHCP clients on a single subnet by the DHCP server. Only one scope can be created for each subnet, and a single DHCP server can manage several scopes.

TCP/IP utilities to know:

ARP - Address Resolution Protocol - displays a cache of locally resolved IP addresses to Media Access Control (MAC) addresses. 

Finger - Retrieves system info from a remote computer that supports the TCP/IP finger service.

FTP - File Transfer Protocol - provides file transfers between TCP/IP hosts with one running FTP software.

Hostname - returns the local computers host name.

IPCONFIG - Verifies TCP/IP information.  with the “/all” switch, it will give DHCP, DNS and WINS addresses.  WINIPCFG is the utility used in place of IPCONGIG on Win9.x workstations. The /DISPLAYDNS, /FLUSHDNS, and /REGISTERDNS options are used to directly interact with Domain Name Service variables.

LPD - Line Printer Daemon - Services LPR requests and submits print jobs to a printer device.

LPQ - Line Printer Queue - Obtain status of a print queue on a host running the LPD Service.

LPR - Line Printer Remote - Prints a file to a host running the LPD Service.

NBTstat - Checks the state of current NetBIOS over TCP/IP connections, updates LMHOSTS cache, determines registered name.

Netdiag – Tests the network functions and provides a report of the results.

Netsh – Network Shell.  This utility can be used to interact with most services from the command-line.

Netstat - Displays Protocol statistics and the current state of TCP/IP connections. The –a option is used to see all information.

NSlookup - examines entries in the DNS database pertaining to a particular host or domain.

Pathping –acts as combination of ping and tracert. It sends echoes requests out and identifies the host that hears them.

PING - Packet Internet Groper - Verifies that TCP/IP is configured correctly and that another host is available.

REXEC - Remote Execution - Runs a process on a remote computer.

Route - views or modifies the local routing table.

RSH - Remote Shell - runs commands on a UNIX host.

Telnet - Provides Terminal Emulation to a TCP/IP host running Telnet server software.

Tracert - verifies the route used from the local host to the remote host. This is superior to PING in that it also shows the route taken to reach the remote host.

DNS:

DNS is a server service consisting of a hierarchical, distributed database with built-in redundancy and caching capabilities. DNS translates domain names into IP addresses. When a DNS server cannot resolve a query, it moves (escalates) it up to a root server that is authoritative for a zone. DNS queries can be either recursive or iterative.

DNS is installed as a service within Windows Server 2003 through the use of wizards. If you have installed Active Directory (via the Active Directory Installation Wizard) but cannot find a DNS server, the ADI wizard will attempt to install the DNS service for you. DNS management can be performed with the DNS Manager snap-in.

DNS monitoring can be done with the Performance tool on counters such as Caching Memory, IXFR Counters, TCP/IP, and Zone Transfer. DNS uses resource records to perform translations. Resource records are entries in the zone database file; each resource record identifies a particular resource within the database.

Dynamic DNS (DDNS) is simply the marriage of DHCP and DNS. Whenever a client interacts with DHCP (new lease, renewal, etc.), the fully qualified domain name (FQDN) of the client is registered with DNS through the DHCP server. This registration can be done manually using the REGISTERDNS parameter with the IPCONFIG.EXE utility.

Configuring a zone for dynamic updates within the zone properties dialog box (obtainable from the DNS Management Console) allows DNS clients to update their resource records dynamically with the server anytime a change occurs. This can be enabled or disabled on a per-zone basis. With an Active Directory Integrated zone, you can store DNS resource records in AD naming contexts to simplify zone replication.

The DNS root name server of a domain is the name server that is acting as the Start of Authority for that zone. The first division of DNS is into domains. The InterNIC (Internet Network Information Center) controls top-level domains (com, edu, etc.). Stub zones contain SOA and NS records, as well as A records for name servers.

A DNS client is any computer that can query a DNS server (through a resolver). A resolver is the DNS client program that is used to query DNS name information. A DNS server is any computer running the DNS Server service. DNS servers perform name-to-IP mapping and attempt to resolve client queries.

FQDNs (fully qualified domain names) specify the host name, the domain or subdomain to which the host belongs, and any domains above that in the hierarchy until the root domain in the organization is specified. The FQDN is read from left to right, with each host name or domain name separated by a period.

Local subnets are prioritized within DNS by default. This is done so that the client finds a local resource first rather than a remote resource.

Delegated zones require that all queries on the existing domain go to one server for resolution. In all cases, the delegated domain must be a sub-domain of the domain performing the delegation. DNS zones are created with the New Zone Wizard and can be used for forward-lookup or reverse-lookup.

With Windows Server 2003, dnsaddp.exe runs, whenever a domain controller is started, to create DNS application partitions. Also with Windows Server 2003, conditional forwarding can be used to let the name server select a forwarder based on a domain implied in a client query.

The primary troubleshooting tool for working with DNS is NSLOOKUP, although IPCONFIG and Event Viewer also can be helpful. In addition to the DNS Management Console GUI, you can also manage DNS from the command-line with the DNSCMD tool.

WINS:

WINS continues to persist in Windows Server 2003, with no real changes in operation between now and with Windows 2000. WINS (Windows Internet Naming Service) is responsible for resolving NetBIOS names to IP addresses. When a WINS client boots up it announces itself to the WINS server. The WINS server stores the name and IP of the client in the database to hand out on future requests. This enables you to connect to a server named Appserver by name instead of having to remember Appserver’s IP address. The WINS database is dynamic.

WINS servers are required to have static IP addresses.

Name Resolution Nodes
B-Node (broadcast) - uses broadcasts to resolve names (not recommended for larger networks, and mostly used by older clients)
P-Node (peer to peer) - uses WINS only, no broadcasts.  No WINS server, no resolution.  This is the mode typically used by newer clients
M-Node (mixed) - Broadcast first, then WINS (this is not recommended as you want to attempt to minimize broadcasts).
H-Node (hybrid) - uses WINS first, then broadcast  (this is recommended as it cuts down broadcasts by trying WINS first but will resort to broadcast as last resort.)

The LMhosts file is a text file that you can manually update that holds NetBIOS name and IP combinations.

WINS Replication - You should have multiple WINS servers for fault tolerance.  These servers can be set up to replicate the data to each other.  WINS replicates changes only (data is replicated at the record level using an incremental version ID) instead of the whole database.  Persistent connections between WINS servers increase replication efficiency by not needing to establish temporary connections for every update.
Push Partner - WINS will replicate after a certain number of changes to the database.  
Pull Partner - WINS will replicate at a certain time period regardless of the number of changes.
Push/Pull Partner - WINS will replicate at a certain number of changes or at a specified time interval regardless of the number of changes.

For automatic configuration, every WINS server announces its presence with broadcasts. If one is found without a push/pull partner, it gets added into the replication list of an existing server. For manual configuration, choose the New Replication Partner option from the Replication Partners node of the server.

While WINS replication occurs on a regular basis, it can be forced at any time by right-clicking a partner and sending an immediate trigger to the partner. WINS-R records can be used in DNS to configure reverse lookups for WINS resolution.

Tombstoned WINS records are not immediately removed, but instead are flagged for later deletion (via an extinction interval) and replicated. Even manually tombstoned WINS records remain in the database until a scavenge operation is undertaken.

Routing and Remote Access:

RRAS routing is installed/configured through the RRAS MMC snap-in by right-clicking on the server and choosing Configure and Enable Routing and Remote Access on the popup menu. This starts the RRAS Setup Wizard.

The three types of remote access permissions available to a user are:

         Allow access

         Deny access

         Control access through Remote Access Policy

When a user dials in, you can choose to verify caller-ID, assign a static IP address to the connection, and/or apply static routes.

RRAS includes support for RIP for IPX and SAP for IPX. RRAS supports the following protocols: AppleTalk, IPX, NetBEUI, and TCP/IP.

An individual host can have its data packet sent in one of the following three ways:

• By looking at the default gateway address in the IP configuration
• By using Internet Control Message Protocol (ICMP) redirects to find a route to a destination host
• By listening to traffic between routers utilizing RIP (Routing Information Protocol) or Open Shortest Path First (OSPF)—known as dynamic routing.

Monitoring remote access is done through counters in the Performance utility; the RRAS MMC console can be used to configure incoming connections and other features.

Remote Access Dial-in Profiles allow you to define the following:

         Dial-in Constraints

         IP Address Assignment Policy

         Multilink (aggregation of multiple analog phone lines through multiple modems for greater bandwidth)

         Authentication

         Encryption (No Encryption, Basic or Strong)

Remote Access Dial-in Profiles can be configured and govern security in much the same way group policies do.

A remote access policy defines actions that can be undertaken for a user or group of users who connect remotely. They can employ specific authentication and encryption methods.

IAS (Internet Authentication Service) can be used to enforce (through policies) issues such as: RADIUS clients allowed, incoming phone numbers to accept, the type of media used to establish the connection, user membership in security groups, and the time of allowed access (day, hour, etc.). With RADIUS, all authentication requests heard by a server are sent to a RADIUS server for approval/denial. RADIUS is an open standard.

IAS is used for centralized administration and to enforce access policies. It works with PAP, CHAP, MS-CHAP, and EAP. IAS is useful for centralized auditing, scaling systems for growing demand, monitoring usage remotely, and working with a graphical interface through an MMC snap-in.

Server Availability:

Clustering is not available with the Standard edition or Web edition of Windows Server 2003. The Enterprise edition will support a cluster of up to four nodes, while the Datacenter edition will support a cluster of up to eight nodes.

What was known as the Windows NT Load Balancing Service (WLBS) in previous operating system versions is now known as Network Load Balancing in Windows Server 2003. It allows you to distribute incoming TCP/IP traffic to multiple servers for processing.

The four tabs of the Windows Server 2003 Backup Utility are:

1.      Welcome

2.      Backup

3.      Restore and Manage Media

4.      Schedule Jobs

An incremental backup includes up all files that have the archive bit on, and then turns that bit off. A normal/full backup gets all files, regardless of the status of the archive bit, and then turns the bit off (if it was on). A differential backup gets all files with the archive bit on, and then leaves it on. A daily backup is valid only for the day (as the name implies). A copy backup backs up files and leaves the archive bit on.

A backup log can be configured from the options of the Backup Utility. You can choose either “Detailed” or “Summary” log files. A detailed file includes the name of every file backed up, while a summary only offers a file count and indicates any files that were skipped.

To start Windows Server 2003 in Safe mode, press F8 when the Please Select The Operating System To Start message appears. Safe mode enables you to start the system with a minimal set of device drivers and services.  Choices appearing on the option menu are:

·        Safe mode

·        Safe mode with networking

·        Safe mode with command prompt

·        Enable boot logging (which sends the output to ntbtlog.txt)

·        Enable VGA mode

·        Last Known Good configuration

·        Debugging mode

·        Directory Service Restore mode (on domain controllers only)

Recovery Console - Windows Server 2003 has a Recovery Console to help when you have trouble booting.  The Recovery Console is not installed by default.  Install the Recovery Console by booting from the Windows Server 2003 CD and choosing Repair, or running winnt32.exe /cmdcons from the I386 directory of the CD.  This copies the files locally and you will now see an option to enter the Recovery Console at boot up.

The Recovery Console is limited to administrators, and you must give the Administrator password when choosing it. This utility will allow you to do such things as:

• Use, copy, rename or replace operating system files and folders.
• Enable or disable services or devices from starting when you next start your computer.
• Repair the file system boot sector or the Master Boot Record (MBR).
• Create and format partitions on drives. 

Emergency Management Services (EMS) allow a server to be accessed across a serial line to perform recovery operations.

Network Security:

Common TCP ports to allow/deny include:

•          FTP (data)
•          FTP (session)
•          Telnet
•          SMTP
•          HTTP
•          POP3
•          IMAP

TCP/IP packet filters can be used to prevent types of packets from reaching your network server. These are configured through the Advanced button on the TCP/IP protocol properties. Filters can be set for TCP, UDP, or IP protocol numbers, and can be universal (for all adapters) or individual. The filter can accept, deny, or accept within specified conditions (always respond using IPSec, use Perfect Forward Secrecy, etc.).

IPSec is used to negotiate the secure connection utilizing DES (Data Encryption Standard/ 56-bit), and 3DES (Triple DES). IPSec is used to secure packets between two hosts and cannot be used locally, whereas EFS is used locally and does not encrypt data on a network.

Only one IPSec policy can be in use at a time. All policy settings can be made using wizards. IPSECMON.EXE can be used to monitor and troubleshoot operations.

The IP Security Policy Management MMC console is used to manage IPSec. To create a new policy, right-click the IP Security Policies folder for the popup menu that contains the New IP Security Policy option.

Security Infrastructure:

Public Key Encryption - Public Key Encryption uses a 2 key method to encrypt data.  The Public Key is given out to any user wishing to communicate with. The Private Key is kept for decoding the public key transmission.

Public Key Authentication - Public Key Encryption uses the same 2 key method for authentication.  This is also known as digital signatures.  Digital signatures are very common when visiting websites. The purpose of a digital signature is to guarantee that data is from the user it is supposed to be from, and that it has not been altered. Signing uses encryption as its main tool but also adds origin and authenticity information as well.

The Public Key  is sent out to a user to authenticate the sender. The Private key is used to encrypt data to be sent.

Within PKI are the following elements: certificate authorities, which issue and revoke certificates, and certificate publishers, which make what the CA has issued available.

CA (Certificate Authority) - A Certificate Authority is responsible for assigning the keys for encryption, decryption and authentication.  There are 2 types of CA's.  Enterprise and Stand-Alone.  Each of these types can have a root CA and Subordinate CA's.

The Certificate Revocation List (CRL) can be published automatically or manually through the appropriate MMC snap-in.