Installing, Configuring, Managing, Monitoring, and Troubleshooting Protocols in a Windows 2000 Network
- Almost no longer in use.
- Communicate via broadcast.
- No configuration at all – very easy to use.
- Cannot pass through a router.
- Good for very SMALL peer to peer network.
- You may need it for backward compatibility with early non-Windows 2000 clients.
- NWLINK is Microsoft’s implementation of NetWare protocols.
- “Represents” IPX, SPX, RIPX, and NBIPX.
- Almost completely autoconfiguring with its AutoDetect features, unless that the incorrect frame type is detected and used.
- You can manually reset the frame types for an adapter.
- Netware 5 natively supports IP, but one of the client software solutions below is required depending on the need to be filled
- Client Services for NetWare (CSNW) – Allows Windows 2000 clients to connect directly to NetWare shares, without needing a Netware Client32.
- Gateway Services for NetWare (GSNW) – Allows Windows 2000 clients to connect to Netware shares via a gateway set up on a Windows 2000 server, without needing a native Netware client.
- File and Print Services for NetWare (FPNW) – Provides the ability for NetWare clients to access Windows 2000 network shares including printers. The Microsoft Directory Synchronization Services and the File Migration Utility (FMU) help to synchronize AD with NDS as well as migrate from NDS to AD and migrate a Netware file system to Windows 2000.
- Client32 is Novell’s client software used to allow Windows based computers to access Novell servers. If you wish to connect the clients to Netware servers via TCP/IP, this is the option that must be used.
- If you have MAC clients, you will still need Appletalk.
- You cannot use Appletalk as the primary protocol on the network.
- Its Application layer corresponds to the OSI model’s Application and Presentation layers.
- Its Transport layer corresponds to the Session and Transport layers of the OSI model.
- Its Internet layer corresponds to the Networking layer of the OSI model.
- Its TCP/IP model’s Network Interface layer corresponds to the Data Link and Physical layers of the OSI model.
- Public addresses are assigned by an entity designated by the Internet Corporation for Assigning Names and Numbers.
- Three ranges are reserved for private addressing and not available as registered addresses on the Internet
- Minimum addressing requirements associated with the installation of TCP/IP includes the IP address and the Subnet Mask
- Automatic Private IP Addressing APIPA will set an unique IP address for the adaptor should DHCP fails.
- APIPA is recommended for small networks with no DHCP service available.
- Keep in mind that the host portion of an IP address must be unique to a specific host on the network.
- TCP/IP filtering can be used to specifically permit or deny TCP/IP traffic, based on IP Protocol, TCP Port number and UDP Port number.
- IPSec can be implemented in a Windows 2000 network to provide cryptography-based security for IP traffic.
- Class A
- /8 Prefixes
- 24-bit host-number
- Class B
- /16 Prefixes
- 16-bit host-number
- Class C
- /24 Prefixes
- 8-bit host-number
IP Subnet Mask
- Subnetting is used to control network traffic in a sense that it segments the broadcast domain into smaller independent segments.
- Classfull addressing follows the Class A B C rules.
- Class A – 255.0.0.0
- Class B – 255.255.0.0
- Class C – 255.255.255.0
- Classless addressing breaks the limitation – Variable length subnet mask VLSM.
- When planning for the addressing and subnets, ALWAYS take into account the future room for growth.
- SNMP is used for network management.
- SNMP agent is installed on the hosts to be monitored.
- Agents report back to the SNMP management console.
- Fill blown SNMP Management console is available separately. SMS is an example.
- You use Network Monitor to capture and analyze frames.
- Capture filter is available in Network Monitor to ease the analysis process.
- Components of a frame:
- Source address of sender
- Destination address of recipient
- Protocol headers
- Network Monitor that comes with Windows 2000 can only capture frames destined to or send from this particular computer.
- System Monitor can be used to generate statistics.
- You do NOT use System Monitor to capture frames.
- Defined by IETF.
- Operates at layer 3.
- Encrypts and decrypts message for online transmission.
- Supported by Windows 2000.
- NOT supported by many pre-Windows 2000 clients.
- Secret key cryptography uses single preshared key.
- Public key cryptography uses key pair with one for encryption and the other for decryption.
- Security Association is established with ISAKMP/Oakley.
- IPSec policy has a collection of rules and key exchange settings concluded in a domain security policy or an individual computer’s security policy.
- IPSec policy can be created with the IPSec Management MMC snap-in.
- Use IPSECMON.EXE to monitor and troubleshoot IPSec.
- Use Network Monitor V2.0’s parser for IPSec to capture IPSec related information transferred over a network interface.
- L2TP + IPSec is usually the best combination for VPN of pure Windows 2000 computers.
Installing, Configuring, Managing, Monitoring, and Troubleshooting DNS in a Windows 2000 Network Infrastructure
You will need to know DNS inside and out for this exam.
Nature of DNS
- Distributed database.
- Map “friendly” names to IP addresses.
- DNS is for host name resolution, NOT for computer name resolution
- Domains can contain other domains or subdomains
- TCP/IP Applications use the WinSock interface
- TCP/IP Applications seldom use the NetBIOS interface.
- Active Directory Namespace should mirror the DNS namespace
- DNS can accept dynamic updates from clients
- Intended for replacing WINS
- Currently only Windows 2000 Pro is a truly dynamic client
- For non-dynamic clients, DHCP can be configured to do the dynamic DNS registration on client’s behalf
- Fully Qualified Domain Name FQDN includes the host name and the domain membership of a host computer.
- Domain names should be meaningful.
- Characters that can be used in your domain names are: A-Z, a-z, 0-9, and the hyphen.
- NO underscore is allowed in your domain or host names.
- Always keep the domain name short – try not to exceed 63 characters
DNS Server Types and Architectures
- DNS zone file contains the resource records for a domain.
- For remote sites that connect to the main site via a slow WAN link, consider using a Caching DNS server at the remote site, NOT at the main site.
- Caching only DNS tries to resolve names from its cache.
- Caching only DNS server does not participate in zone transfer.
- Primary DNS transfers zone data to the Secondary DNS – Zone Transfer
- Primary DNS does NOT receive data from the Secondary DNS
- A record is for host
- MX record is for Mail Exchange
- SRV record is for services
- Clients in Windows 2000 network need DNS to locate the domain controllers
- DNS in Windows 2000 MUST support SRV Service Resource Record
- When you install Active Directory, if there is no existing suitable DNS, the Wizard can install the Windows 2000 DNS service for you.
Active Directory Integrated Zone
- The BEST zone type to use
- Offer security for zone transfer
- Use Active Directory replication to transfer zone data
- Zone transfer based on changes
Management and Troubleshooting
- You may use the DNS Console, which is a snap in for MMC to manage the DNS service.
- Use Active Directory Integrated zone whenever possible, as it can provide fault tolerance if there are more than one domain controllers on the network.
- Use NSLOOKUP to trouble shoot name server problem.
- Whenever a client cannot locate a domain controller, it is either the client’s IP configuration problem or that the client’s DNS entry for the domain controller is incorrect.
- Important DNS performance counters to watch: Dynamic update and secure dynamic update counters, Memory usage counters, and Recursive lookup counters
- May be used as a temporary substitute for the DNS service
- Cannot accept dynamic updates
- Must be placed on each client which needs network access
- NOT recommended
DNS Scenario: You are implementing an IIS 5.0 Web Server to host your corporate intranet. You need to allow for host name resolution.
- DNS is needed for hosting internal and external web sites
- The web server itself should be using static IP address
- Internal intranet name resolution request from insiders should be handled by the internal DNS server
- External internet name resolution request from outsiders should be handled by the external DNS server
DNS Scenario: You have installed a Primary and a Secondary DNS server to resolve host names on your intranet. You need to provide name resolution services for hosts on the Internet.
- For resolving internet names, the best way is to use the ISP DNS server.
- You should set up a caching only forwarder to forward requests to the ISP DNS server
- No need to contains zone information for the outside world in the caching only server
DNS Scenario: You have installed IIS 5.0 on a machine with the host name abc.hello.com. You have installed the FTP and the WWW services on this machine. You need to set up the resource record type so that users can refer to this machine as www.hello.com and ftp.hello.com.
- You use A record to identify the machine as abc.hello.com
- You use CNAME record to identify the machine as www.hello.com
- You use CNAME record to identify the machine as ftp.hello.com
- Technically, you can use A records for all three names, but it will complicate the maintenance and management.
DNS Scenario: You have installed a DNS server on your network. You want your users to be able to continue host name resolution for your intranet in case the DNS server crashes. You need to provide fault tolerance.
- A Secondary server may be used together with the Primary server.
- Active Directory integrated zone is the best if you have multiple domain controllers. Active Directory replication will handle the zone transfer and provide DNS redundancy.
DNS Scenario: A user on a Windows 2000 Professional computer on a subnet cannot connect to a Windows 2000 server computer on another subnet with the command NET USE. Using another Windows 2000 Professional computer on the same subnet as the user’s subnet, the command NET USE works just fine.
- If only a particular user has the problem, either his computer’s IP configuration is not correct, or that he has an incorrect DNS entry.
- If everyone on the same subnet has the problem, it may be a gateway problem.
- If everyone on different subnets has the problem, it may be a DNS server problem.
DNS Scenario: You administer a TCP/IP network running 300 Windows 2000 computers and 10 Linux servers. The Windows 2000 computers are all DNS-enabled clients. You need to resolve host names to IP addresses with a minimum use of static name resolution.
- You should set up a DDNS Server if there are large amount of Windows 2000 clients. This simplifies the administration.
- For any non-windows clients like Unix or Linux, they may either support dynamic DNS updates, or you can reserve a range of static IP addresses for them. The point is, there are only very few non-windows clients most of the time.
DNS Scenario: You manage a network that employs DHCP, DNS, and WINS. You discover that IP address to host name resolution is not working properly. You need to troubleshoot this problem.
- This is an IP address to name problem, so you need to check the reverse lookup zone. You should examine the Reverse lookup file using the nslookup utility.
- Almost always, use nslookup to trouble shoot DNS.
DNS Scenario: You need to make non-Microsoft TCP/IP clients use WINS to resolve NetBIOS names.
You can enable the DNS server to use the WINS server for name resolution. Keep in mind that this is mostly for backward compatibility.
Installing, Configuring, Managing, Monitoring, and Troubleshooting DHCP in a Windows 2000 Network Infrastructure
DHCP will be another major topic in the exam.
- Based on BOOTP
- Use scope to group the available IP addresses that DHCP clients can request.
- TCP/IP information is automatically sent to the client computer when it boots.
- Phase 1 process: DHCPDISCOVER,
- Phase 2 process: DHCPOFFER
- Phase 3 process: DHCPREQEST
- Phase 4 process: DHCPACK OR DHCPNACK.
- At 50 percent of the lease time the client sends a DHCPREQEST to the original DHCP server to renew its lease.
- At 87.5 percent of the lease time the client look for another DHCP server to renew its lease.
- The Windows 2000 DHCP server itself must have a static IP address.
- The Windows 2000 DHCP server itself must be authorized in Active Directory in order to distribute IP addresses.
- The DHCP service must be set with at least one DHCP scope to function.
- You can, in the scope, have certain IP addresses excluded from the range.
- You should adjust the lease time to fit your organization needs.
- You can set the scope options to provide other addresses (such as WINS server addresses, DNS server addresses…..etc) for the clients to use.
- You can use User classes to differentiate the settings for different groups of computers on the same scope.
- For redundancy, always have at least two DHCP servers on the network
- You must manually avoid any addressing conflicts between multiple DHCP servers.
- You use the Multicast Scope Wizard to set up multicast scope.
Windows 2000 DHCP ready Clients
- Windows 9X
- Windows for Workgroups 3.11 running TCP/IP-32
- MS-DOS with the Microsoft Network Client 3.0 with the real mode TCP/IP driver
- LAN Manager 2.2c except for the OS/2 version
- Windows NT
- Windows 2000
On the DHCP server you can enable dynamic update for the non Dynamic DNS clients, so that the DHCP server can register on behalf of the clients in DNS.
- DHCP broadcasts cannot be routed.
- You use Microsoft’s DHCP Relay Agent to forward DHCP broadcasts to the DHCP server.
- Relay agent is needed in a subnet without the DHCP server.
- Any Win3.11, Win9x, NT or w2l computers can act as the agent with the software installed.
- Use ipconfig to display the IP configurations and other IP options.
- Use ping to check the connectivity with other IP hosts.
- Servers should use static IP whenever possible.
- Rather than to use static IP, an alternative will be to make the lease on the server to last indefinitely.
- When the DHCP server is not detected, Windows 2000 clients will manually set themselves with private network IP addresses.
DHCP Scenario: DHCP is installed on one subnet. The clients on the same subnet can access the Internet. A DHCP client fails to get an IP on a remote subnet. It can communicate with the rest of the clients on that subnet though.
- A DHCP Relay Agent does not exist on the local subnet. This is why the client fails to obtain an IP address.
- The machine which acts as the relay agent must itself has a valid IP settings.
- Note the key point here. The client in question can still communicate with the computers on the local subnet, even without proper IP configuration. This is because it is likely for the windows clients to use Netbios and broadcast to communicate locally.
DHCP Scenario: You realize that you are running out of IP addresses on your network. You need to ensure that most IP addresses are available at one time.
- You should decrease the lease time in this kind of situation.
- A potential drawback is increased network traffic because of more frequent renewal.
Installing, Configuring, Managing, Monitoring, and Troubleshooting WINS in a Windows 2000 Network Infrastructure
Although WINS is gradually being replaced, it is still a major topic in the exam.
- Provides NetBIOS name resolution to workstations and servers running Windows NT or Windows 9x.
- NetBIOS name is the computer name you assign to the computer when you install the Windows operating system.
- NetBIOS name cannot be duplicated on the same network.
- The Broadcast B-Node uses broadcasts to resolve a NetBIOS name.
- The Hybrid H-Node uses a mix of broadcast and non broadcast methods.
- H-node is the default node type on a WINS client.
- To find out the node type, use the ipconfig /all | more command from the command prompt
- MAX 16 characters for a NetBIOS name
- <1Ch> is the identifier byte used to designate a Windows NT domain name
WINS Name Registration
- The steps involved with a client registering and removing its NetBIOS name and IP address with the WINS server.
- Every time a WINS client is correctly shut down, it will send a Name Release request to the WINS server.
WINS Name Resolution
- The steps involved with the querying of the information of the WINS server to perform NetBIOS name queries.
- Name resolution order:
- Local Name Cache
- You may set up the Primary WINS server and the Secondary WINS server in the TCP/IP properties of the pre-Windows 2000 clients.
- Windows 2000 clients support up to 12 WINS servers.
- A WINS Proxy Agent will accept broadcast NetBIOS name queries and then query the WINS server for the information.
- For non Windows clients to use WINS, you must deploy WINS Proxy Agent.
- B-Node clients need to use WINS Proxy Agent as well
- You can configure static WINS entry for non-Windows hosts
- Multiple WINS servers can be configured to replicate with each other for fault tolerance.
- Partnerships can be pull-pull, pull-push or push-push.
- Pull replication is based on time.
- Push replication is based on changes.
- When you configure a path for backing up WINS, WINS will use it automatically according to the default schedule.
- An alternative to WINS
- Must be configured for every client
- Not a recommended method
- #DOM identifies domain controller
- #PRE means preload into memory cache
Configuring, Managing, Monitoring, and Troubleshooting Remote Access in a Windows 2000 Network Infrastructure
- User can use modem to connect to the server.
- PPP is the ideal protocol for dial in.
- PPP supports multi-protocols.
- RRAS can obtain dynamic IP addresses from DHCP and then assign to the dail in clients.
- To configure security for dial in connections, you can use:
- Caller ID
- Call back to a number specified by the user
- Call back to a predefined number
- Without RADIUS, you need to configure every single RAS server for authentication.
- With RADIUS, a centralized authentication server can be used to authenticate all the dial in requests.
- For a large network with lots of RAS servers, use the RADIUS solution.
- For a large network that needs centralized accounting for RAS, use the RADIUS solution.
- IAS shorts for Internet Authentication Service.
- IAS is the central component acting as the host for RADIUS.
- IAS is responsible for the following centralized activities:
Authentication Protocols for RADIUS
- Challenge Handshake Authentication Protocol (CHAP)
- Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
- Password Authentication Protocol (PAP)
- Shiva Password Authentication Protocol (SPAP)
- Extensible Authentication Protocol (EAP)
- EAP is for use with SMARTCARD.
- PAP is not secure as it uses clear text.
- MS-CHAP is almost always the choice for dial in windows clients.
- Shorts for Virtual Private Network.
- Use the internet for private connection.
- If you have MULTIPLE SITES to connect, use VPN instead of dedicated point to point links.
- The minimum requirement to implement VPN for a network is a single VPN server.
- Two choices of Tunneling Protocols:
- PPTP is supported by pre-Windows 2000 clients.
- L2TP is supported only by Windows 2000.
- L2TP itself does not encrypt the payload.
- Use IPSec together with L2TP for securing the VPN connections.
- Clients should use the virtual VPN adaptor to connect to the VPN server.
Choices for Dial in or VPN remote access permissions
- Allow Access
- Deny Access
- Control via RAP
- Shorts for Remote Access Policies
- Stored locally in the IAS.MDB file of the RAS server.
- A fancy way to define who has remote access to the network as well as what the characteristics of that connection will be.
- Conditions for accepting or rejecting connections can be based on:
- Group membership
- Type of services
Installing, Configuring, Managing, Monitoring, and Troubleshooting IP Routing in a Windows 2000 Network Infrastructure
- A computer must have at least two NICs in order to perform routing.
- The two NICs should be configured for two different subnets.
- Windows 2000 uses RRAS service to handle IP routing.
- Internal router has all interfaces connected to the same local areas.
- Border router has interfaces connected to different outside areas.
- To reduce the load of the routers, we can simplify the routes with CIDR Classless Inter-Domain Routing.
- With CIDR, we can perform route aggregation – use a single route to cover the address space of several network numbers.
- Most efficient for network with a small number of subnets.
- No additional traffic burden.
- Use the Route print command to print the routing table.
- Use the Route add command to add routing entries.
- Use the Route add command with the /p switch to add permanent routing entries.
- Use the Route delete command to delete routing entries.
RIP & RIP V2
- Interior routing protocol.
- Fully Dynamic.
- Routing based on hop count – MAX 15 hop count.
- Uses second handed information from the neighboring routers to build the routing table.
- Periodically sends the entire routing table to the other routers.
- Low load on the Router CPU.
- High burden for the network.
- Easy to configure compare to OSPF.
- Good for small to medium size network.
- Interior routing protocol.
- Fully Dynamic.
- Uses metrics that takes bandwidth and network congestion into making routing decision.
- Transmits updates to other routers when there is a topology change.
- Builds a complete topology of the whole network.
- Requires high processing power.
- Good for large network.
- Use OSPF when scalability is the main concern.
Installing, Configuring, and Troubleshooting Network Address Translation(NAT) and ICS
- Short for Internet Connection Sharing.
- Good for small network that has only one legitimate IP address.
- All computers inside the network can have internet access.
- Outside computers cannot access the inside computers.
- Clients must use DHCP.
- ICS provides its own DNS and DHCP component. To avoid conflicts, you cannot separately set up DNS / DHCP.
- Win98 and Windows 2000 can be configured to provide ICS functionality.
- Short for Network Address translation.
- Good for large network that needs to conceal the internal IP structure.
- Allows computers on a small network to share a single Internet connection.
- Also for hiding the internal IP addressing scheme.
- If PERFORMANCE is NOT a concern, use NAT rather than Proxy Server.
- If COST is a concern, use NAT rather than Proxy Server.
Static NAT Mapping
- To allow Internet users to access resources on the inside network, use static IP address mapping.
- Remember to exclude this static IP from the range of IP addresses being allocated by the NAT computer.
Dynamic NAT Mapping
To allow a group of internal users to access resources on the outside network, use dynamic IP address mapping.
- Provides NAT functions.
- Also provides caching function to enhance performance.
- Proxy Array provides redundancy and load balancing for Proxy Servers.
- If PERFORMANCE is also a concern, use Proxy Server.
Installing, Configuring, Managing, Monitoring, and Troubleshooting Certificate Services
- Short for Certificate Authority.
- Responsible for issuing certificates.
- One way of authentication and identification on the network.
- 4 types of certificate authorities in a Windows 2000 network:
- Enterprise root CA
- Enterprise subordinate CA
- Stand-alone root CA
- Stand-alone subordinate CA
- If you do not have Active Directory, use a Stand Alone Root CA for your internal needs.
- If you have a big organization, use at least one Root CA plus other subordinate CAs to share the load and administration tasks for your internal needs.
- If you are doing business on the internet, establish a relationship with a third party CA and use the certificates issued by that third party CA.
- You can revoke the certificates you publish.
- Certificates should be set with expiration date.
- The more frequent a certificate will expire, the more secure it is for the network.