Top 3 Products & Services
Dated: Aug. 11, 2004
- Overview of Networking and TCP/IP
- Domain Name System(DNS)
- Understanding Windows 2000 Remote Access
- Required Client Components
- Required Server Components
- Protocols Supported By RAS
- RAS Monitor
- RAS Logging
- Internet Connection Sharing
- Certificate Services
- Understanding Windows Internet Naming System
Windows 2000 is fast becoming the most widely deployed network operating system in the corporate world and as the computer network industry advances in both technology and size, the need for proven skills and expertise is of prime significance. Microsoft has already realized the need of the situation and thus revised its Microsoft Certified Professional (MCP) program to give us appropriate credentials to demonstrate our expertise of Microsoft Windows 2000 family of products and services. Windows 2000 actually consists of several different flavors including Windows 2000 Server/Advanced Server, Data Center Server, and Windows 2000 Professional depending upon the client server environment requirements.
This study guide provides an overview what you need to pass the exam 70-217 Implementing and Administering a MS Windows 2000 Network Infrastructure and summarize the skills required to install, configure, and troubleshoot DNS, DHCP, remote access in a Windows 2000 network infrastructure, network protocols, IP routing, connection sharing and security.
Overview of Networking and TCP/IP
A network is a group of computers that share resources. A server is a central computer that contains files and resources that other computers can share. A client computer connects to the server and uses these resources
TCP/IP is the network protocol that provides Internet access. It is the protocol used by most servers, although you can use additional or different network adapters and their associated protocols on your servers. To use TCP/IP, make sure that each server is provided with an IP address, either a dynamic or automatic address provided through software, or a static address that you obtain and set. Because these addresses are numbers and therefore hard to remember, you will also have to provide users with names that are easier to use. Mapping this type of name to an IP address is called name resolution, and can be accomplished by various methods, primarily the Domain Name System (DNS) and Windows Internet Name Service (WINS).
Name resolution for TCP/IP
Name resolution is a process that provides users with easy-to-remember server names, instead of requiring them to use the numerical IP addresses by which servers identify themselves on the TCP/IP network. The name-resolution services are the DNS and WINS.
Domain Name System(DNS)
DNS is a hierarchical naming system used for locating computers on the Internet and private TCP/IP networks.It is used to map Internet domain and computer names into IP addresses and vice versa. DNS works at the application layer and uses TCP and UDP for transport. TCP is only used if returned data is truncated. DNS was originally based on HOSTS files that were maintained by a centralized Network Information Center. Today it is based on a hierarchy of servers with a distributed hierarchical database throughout the network or Internet.
One or more DNS servers are needed in most installations. DNS is required for Internet e-mail; Web browsing, and Active Directory. DNS is also required in domains with clients running Windows 2000. DNS is installed automatically when you create a domain controller (or promote a server to become a domain controller), unless the Windows 2000 software detects that a DNS server already exists for that domain. (Alternatively, you can explicitly select DNS as a component to install during or after Setup.)
DNS is a hierarchical naming structure with the following levels:
- Root designated by a dot (.).
- First level - This indicates country or type of organization such as "org", "com", and "net".
- Second level - Indicates the organization name and can be purchased for a yearly fee.
Notice that the highest level of the domain is listed last. An example of a domain name that you may be familiar with is:
On the client side, a DNS resolver is used to send queries to DNS servers. The resolver is normally part of a library routine or it is built into the application. DNS uses zone files to keep name and IP address database information for the internet domain or hierarchial set of domains. Zones are a storage of information in a file for a DNS domain or DNS subdomains (DNS domains are not the same as Windows domains). DNS does not yet support dynamic configuration but has been modified for Windows systems to do so. Different aliases may be created by the administrator for the same host. Three types of name servers as defined by how it relates to the zone information:
- Primary - Locally stored files exist on the name server database. The master zone file copy is stored here.
- Secondary - Gets data called a zone transfer from another server that is the zone authority.
- Caching Only - Caches name server information and does not contain its own files.
A primary and secondary name server should be used on a network. When a zone is defined, some server must be configured to be a master name server for the zone. There can be different master name servers for different zones. The master server provides copies of the zone information to the secondary DNS server. Name servers can be configured to get information from other name servers when the information is not found in the local database. These types are forwarders and slaves. Name servers as categorized by function:
- Master - The zone authority that contains the master zone files.
- Forwarders - A name server that passes name resolution requests to other name servers. This configuration is done on a per server basis.
- Slaves - Slave name servers are configured to use forwarders.
Windows introduces additional terminology:
- Standard primary - The same as a primary DNS server listed above. This is a master server by function.
- Active Directory Integrated (primary) - DNS entries are stored with Active Directory data rather than a normal zone file. More than one of these Active Directory primary servers may exist due to Active directory replication. This term is used to refer to both the Active Directory Integrated zones and files that support the zone.
- Standard secondary - The same as a secondary DNS server listed above. This is a slave server by function.
- Root server - The server that has the DNS data for the root zone. The root zone is the organization internal network root zone or Internet root zone. It is used when a private network is not directly on the internet (no connection or via proxy server).
Query types are:
- Inverse - Getting the name from the IP address. These are used by servers as a security check.
- Iterative - Server gives its best answer. This type of inquiry is sent from one server to another.
- Recursive - Cannot refer the query to another name server.
The DNS zone file serial number is used to track DNS changes. The notify function is used to initiate zone transfers. Zone transfer types are:
- Full - AXFR Query - Secondary server refresh interval expires and it sends an AXFR query.
- Incremental - IXFR query - Only new or updated entries are copied.
Possible zones include:
- Forward lookup zone - Name to IP address map.
- Reverse lookup zone - IP address to name map.
- Standard primary zone (primary zone) - A master copy of a forward or reverse lookup zone.
- Active Directory integrated zone - A copy of a standard primary or Active Directory integrated zone. The IP address and computer name is stored in Active Directory and replicated to all local domain controllers. DNS information is not replicated to domain controllers outside the domain.
- Standard secondary zone (secondary zone)
Microsoft DNS is compatible with BIND, but it is not the same. Windows 2000 Server or more advanced server is required to run DNS. It will not run on Windows 2000 Professional.
Windows 2000 DHCP clients register forward lookup entries (A record) by default. The DHCP server registers forward (A) and reverse (PTR) DNS records.
Windows 2000 computers can register their IP address and names with the network DNS server that supports dynamic updates (Not all DNS servers support dynamic updates, but Windows 2000 DNS servers do). Other operating systems other than Windows 2000 cannot register their IP address and names with DNS dynamically. A Windows DHCP server can be configured to register assigned IP address and host names with the DNS server, which can support dynamic updates.
Characters allowed in DNS names are: A-Z, a-z, 0-9, -
- Interfaces - Specifies interfaces to use on a multihomed host.
- Forwarders - Specifies other name servers to use as a forwarder.
- Boot Method - Display whether the boot method is through the use of the registry or data files.
The DNS Database
Database file storage on Microsoft Windows 2000 is as follows:
- Database file - zone.dns
- Cache file - Cache.dns - Used to resolve names outside the domains. Contains the addresses of root name servers.
- Reverse lookup file and Arps-127.rev
- Boot file (options) - Defines BIND startup options such as the directory DNS files are contained in. Boot file commands:
- Cache - The cache file location. The file must exist.
- Primary - Syntax is "primary (domain) (filename)" - The domain indicates the domain that this authoritative server is in charge of. The filename indicates the resource record file for the zone
- Secondary - Syntax is "secondary (domain) (hostlist)" - The domain indicates the domain the server is authoritative for. The hostlist is a list of master servers where zone information is downloaded from.
DNS Record types:
- A - Address record allowing a computer name to be translated into an IP address. Each computer must have this record for its IP address to be located. These names are not assigned for clients that have dynamically assigned IP addresses, but are a must for locating servers with static IP addresses.
- CNAME - Canonical name allowing additional names or aliases to be used to locate a computer.
- MX - Mail Exchange server record. There may be several.
- NS - Name server record. There may be several.
- PTR - Pointer resource record.
- SOA - Start of Authority record defines the authoritative server and parameters for the DNS zone. These include timeout values, name of responsible person.
- SRV - Service locator resource record to map a service to servers providing the service. Windows 2000 clients will use this record to find a domain controller.
- Scope - A range of IP addresses that the DHCP server can assign to clients that are on one subnet.
- Superscope - A range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets.
- Multicast scope - A range of class D addresses from 22.214.171.124 to 126.96.36.199 that can be assigned to computers when they ask for them. A multicast group is assigned to one IP address. Multicasting can be used to send messages to a group of computers at the same time with only one copy of the message. The Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to request a multicast address from a DHCP server.
Windows 2000 Client Option Levels
When options are in conflict, more specific options override less specific options.
- Client level - Includes one client.
- Class level - Includes clients in one class.
- Scope level - Includes one scope.
- Server level - Includes all DHCP server scopes and clients of the server.
Windows 2000 Multicast Scope
The DHCP console allows multicast scopes to be set up similar to normal scopes. This scope assigns a secondary IP address to a client for receiving multicasts in a multicast group. The address range for this scope is 188.8.131.52 through 184.108.40.206. Multicast Address Dynamic client Access Protocol (MADCAP) is used to assign dynamic multicast addresses to clients in multicast groups. DHCP can assign MADCAP options but MADCAP servers cannot assign DHCP options.
DHCP Lease Process
DHCP leases are used to reduce DHCP network traffic by giving clients specific addresses for set periods of time.
- Request - A broadcast is sent by the client with the client MAC address. This is a DHCP discover message with source IP address of 0.0.0.0 and destination address of 255.255.255.255. The client tries to get its last address. If it is not available, the DHCP server will send a NACK signal. The client state is initialization during the request stage.
- Offer - A DHCP offer message is sent from the DHCP server with some or all the optional information as listed above. Information sent includes the IP address of the DHCP server that sent the accepted offer. All offered IP addresses are marked unavailable by the DHCP server when the DHCP server offers them until they are rejected. The client is in the selecting state during this offer stage.
- Selection (or acceptance) - The first offer received by the client is accepted. The client broadcasts its selected choice using a DHCP request message which includes the IP address of the DNS server that sent the accepted offer. The client is in the requesting state during this selection stage.
- Acknowledgement - The server acknowledges with a DHCP acknowledge indicating the client can use the address or it will send a DHCP NACK instructing the client that the address became unavailable. Other DHCP servers retract their offers and mark the offered address as available and the accepted address as unavailable. Any offered IP addresses not selected are freed to be used again. The client state is the binding state during this acknowledgement stage.
When the client sends the lease request, it then waits one second for an offer. If a response is not received, the request is repeated at 9, 13, and 16-second intervals with additional 0 to 1000 milliseconds of randomness. The attempt is repeated every 5 minutes thereafter. The client uses port 67 and the server uses port 68.
Client systems that are Windows 98 or later attempt to tell if another client is already using the address received from the DHCP server by pinging the address. The DHCP server can be configured to pretest addresses by pinging them, but this will increase overhead and slow server response time.
DHCP Lease Renewal
After 50% of the lease time has passed, the client will attempt to renew the lease with the original DHCP server that it obtained the lease from using a DHCPREQUEST message. Any time the client boots and the lease is 50% or more passed, the client will attempt to renew the lease. At 87.5% (7/8ths) of the lease completion, the client will attempt to contact any DHCP server for a new lease. If the lease expires, the client will send a request as in the initial boot when the client had no IP address. If this fails, the client TCP/IP stack will cease functioning. Additional messages include a DHCP decline message which is sent by the client if it decides the information from the server is not appropriate. A DHCP release message is used by the client to indicate to the server that the IP address is now released and available for use by other clients. The client is in the renewing state when the lease is half expired.
DHCP Relay Agents
May be placed in two places:
- Subnets that don't have a DHCP server to forward DHCP requests.
Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments, the following are required for client reservation:
- MAC (hardware) address
- IP address
Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server.
- /all - Shows much configuration information from local hostname, IP address, subnet mask to DHCP server and WINS server address and lease dates. It will display an IP address of 0.0.0.0 and DHVP address of 255.255.255.255 if the DHCP attempt was unsuccessful.
Windows 2000 DHCP Installation and Configuration Issues
The first Windows 2000 DCHP server must be a domain controller. DHCP services must be on a member server or domain controller. Rogue (additional non domain controller) DHCP servers must be authorized in Active Directory. The DHCP Inform message is used to detect rogue DHCP servers.
When upgrading a DHCP server from Windows NT to Windows 2000, it is converted to the Windows 2000 format. This stops the DHCP service until done and may use much disk room. The DHCP database cannot be converted back to the NT format.
When DHCP is installed, the DHCP MMC snap-in is installed. This can be accessed from administrative tools and is called "DHCP command".
Windows 2000 clustering services allow redundant DHCP servers to provide DHCP fault tolerance with one acting as primary and the other acting as a backup.
Windows 2000 DHCP can update DNS A and PRT records dynamically. This can be done is Windows 2000 from the DHCP Manager in administrative tools, by right clicking on the DHCP server or scope and selecting "Properties".
Helpful DHCP System Monitor Counters
- Declines per second - Indicates a conflict of IP addresses if this is high.
- Packets received per second - Indicates how busy the server is with the network.
- Requests per second - If this number is high, the lease time may be too short.
Windows 98 and later systems support Automatic Private IP Addressing (APIPA) for small networks addressed with the network address 169.254.0.0. If more than 25 clients, DHCP should be used. If an APIPA server detects a DHCP server, it will discontinue services.
BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The image file contains the image of the operating system the client will run. DHCP servers can be configured to support BOOTP or the BOOTP server may be a separate server.
Understanding Windows 2000 Remote Access
Remote Access Service (RAS) is considered to be a Wide Area Network (WAN) connection. Clients that use remote access use either:
- Dial-up to private connections or the Internet.
- Virtual private networking (VPN) to the Internet or across some other network. Cable connections to other computers using infrared, serial or parallel ports.
- RAS can also be configured to handle incoming connections by phone, the Internet, or a cable.
- RAS servers can be used as gateways to link LANs together.
Required Client Components
- Transport Protocol (NetBEUI, NWLink, TCP/IP) - The best protocol depends on line conditions. TCP/IP is best when line conditions are poor, but it is slower. If line conditions are good, and speed is desired, use NetBEUI.
- Workstation service for NTWS or Client for Microsoft Networks or Windows 95
Required Server Components
- Modems or ISDN interface or X.25 PAD. Modems are configured using the control panel modems applet. ATM and ISDN is installed using the control panel network applet.
- Must run the "Routing and Remote Access" service. This service is only available on servers but is installed by default.
Protocols Supported By RAS
- Point to Point Protocol (PPP) - Point to Point Protocol is a form of serial line data encapsulation that is an improvement over SLIP which provides serial bi-directional communication. Packets are delivered in the order they were sent.
- Serial Line Interface Protocol (SLIP) - This protocol places data packets into data frames in preparation for transport across network hardware media. This protocol is used for sending data across serial lines. There is no error correction, addressing, compression, or packet identification. There is no authentication or negotiation capabilities with SLIP. SLIP will only support transport of IP packets.
- Point to Point Multilink Protocol - Combines bandwidth from several physical connections into one logical connection.
- Microsoft RAS
Overview of Virtual Private NetworkA Virtual Private Network allows you to run a secure,private network over an unsecured public network.You can use virtual private networking to get clients connected to your network over the Internet and do it securely,even though the Internet is inherently unsecured network.
- Point to Point Tunneling Protocol (PPTP) - Point-to-Point Tunneling Protocol (RFC 2637) works at the Data link layer. No encryption or key management included in specifications. A VPN tunneling Protocol used to send secure communications from point to point. It is used to access a network through the network using the speed of a modem. It uses PPP encryption or Microsoft Point to Point Encryption (MPPE) over TCP as a transport protocol.
- Layer Two Tunneling Protocol (L2TP) - Layer2 Tunneling Protocol. (RFC 2661) combines features of L2F and PPTP and works at the Data link layer.
- IPSec - Internet protocol security, developed by IETF, implemented at layer 3. it is a collection of security measures that address data privacy, integrity, authentication, and key management, in addition to tunneling.
Authentication Protocols Supported
- CHAP - Challenge Handshake Authentication Protocol - encrypts user names and passwords, but not session data. Works with non-Microsoft clients.
- EAP - Extensible Authentication Protocol. Allows for an arbitrary authentication mechanism to validate a dial-in connection. Uses generic token cards, MD5-CHAP and TLS.
- EAP-TLS - Transport Level Security. Primarily used for digital certificates and smart cards.
- MS-CHAP (V1 and 2) - Microsoft Challenge Handshake Authentication Protocol. Encrypts entire session, not just username and password. V2 is supported in Windows 2000 and NT 4.0 and Win 95/98 (with DUN 1.3 upgrade) for VPN connections.
- PAP - Password Authentication Protocol. Sends username and password in clear text.
- RADIUS - Remote Authentication Dial-in User Service. Provides authentication and accounting services for distributed dial-up networking.
- SPAP - Shiva Password Authentication Protocol. Used by Shiva LAN Rover clients. Encrypts password, but not data.
Bandwidth Allocation Protocols
- BACP - Bandwidth Allocation Control Protocol. It is used with PPP.
- BAP - Bandwidth Allocation Protocol is a bandwidth control protocol for PPP connections. It is a new protocol with Windows 2000. It works with BACP.
Transport Protocols SupportedSupports
- NetBEUI - Microsoft developed a suite of protocols around NetBIOS using NetBEUI for transport. The primary advantage of this protocol is that it is easy to configure and Microsoft claims that it runs faster.
- NWLink (IPX/SPX) - IPX/SPX is a routable protocol and can be used for small and large networks. It was created by Novell primarily for Novell NetWare networks, but is popular enough that it is used on products that are not from Novell.
- TCP/IPA Routable protocol installed by default in Windows 2000 which can be used to connect heterogeneous networks. Each Computer on the network can be identified by a 32-bit IP address, which can be entered manually or provided automatically by a DHCP server.
- Incorrect subnet masks and gateways cause common TCP/IP problems.
- Check DNS settings if an IP address works but a hostname won’t.
- The Ping command tests connections and verifies configurations.
- The Tracert command checks a route to a remote system.
- Use IPConfig and IPConfig /all to display current TCP/IP configuration.
- Use NetStat to display statistics and connections for TCP/IP protocol.
- Use NBTStat to display statistics for connections using NetBIOS over TCP/IP
- AppleTalk - Apple Computers have had their own set of protocols for many years. More and more operating systems today now can communicate with Apple systems using Apple networking protocols.
Supported Connection TypesThe RAS service supports both hardware ports and virtual private networking (VPN) ports. VPN is a method of providing an encrypted virtual private network over a public network. It encapsulates IP packets as data inside other IP packets (tunneling) to send them across the public network.
- Analog Telephone (PSTN). Uses PPP or SLIP for support over PSTN lines. NT RAS hosts only answer when PPP is used, but the other protocols are supported for dial out. SLIP only supports TCP/IP and does not support logon encryption or dynamic IP assignments.
- Digital Telephone (ISDN)
- X.25 - Packet switching protocol used on dial-up or leased lines.
- Point to point tunneling protocol (PPTP) and L2TP for VPN connections across the Internet
- RS-232 Null modem cable.
Clients that the RAS server can host
- TCP/IP clients using PPP
- LAN Manager
- DOS RAS
- Windows for Workgroups
- Windows 95/98
- Windows NT 3.1 and above
- Windows 2000
Remote Access PoliciesWith Remote Access Policies you define rules with conditions that the system evaluates to see whether a particular user can connect or not.
You can have any number of policies in a native Windows 2000 domain. When a caller connects,the policy conditions are evaluated one by one to see whether the caller gets in or not.All of the conditions in the policy must match for the user to gain access.If there are multiple policies,they are evaluated according to an order you specify.The three components of a remote access policy are its conditions, permissions and profile:
- Conditions- List of parameters (time of day, user groups, IP addresses or Caller Ids) that are matched to the parameters of the client connecting to the server. The first policy that matches the parameters of the inbound connection is processed for access permissions and configuration.
- Profile Settings (authentication and encryption protocols) which are applied to the connection. If connection settings do not match the user’s dial-in settings, the connection is denied.
- Permissions Connections are allowed based on a combination of the dial-in properties of a user’s account and remote access policies. The permission setting on the remote access policy works with the user’s dial-in permissions in Active Directory providing a wide range of flexibility when assigning remote access permissions.
If there are no Remote Access Policies, the connection is denied. The connection is allowed if it matches the conditions of one policy, but may be later denied if permissions or the profile are not met. The order of the policies may be set using the "Routing and Remote Access" tool. The last component sets profiles rather than being met, however, if the dial-in client is not compatible with the profile, the connection is terminated. The "Routing and Remote Access" tool can be used to monitor the status of the RAS server and monitor connections.
RAS MonitorUsed to monitor RAS performance. It is found on the Taskbar next to the time system tray. You can select it then have it display as a window.
RAS LoggingThe following registry entry controls RAS logging by turning it on or off: \HKey_Local_machine\system\CurrentControlSet\Services\Rasman\PPP\Logging
The log is stored in the file: \WINNTROOT\system32\Ras\PPP.log
Internet Connection SharingWindows 98 supported Internet Connections Sharing(ICS) which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be re-established.
The "Routing and Remote Access" administrative tool is used to enable routing on a Windows 2000 server that is multihomed (has more than one network card). Windows 2000 professional cannot be a router. The "Routing and Remote Access" administrative tool or the "route" command line utility can be used to configure a static router and add a routing table. A routing table is required for static routing. Dynamic routing does not require a routing table since the table is built by software. Dynamic routing does require additional protocols to be installed on the computer. When using the "Routing and Remote Access" tool, the following information is entered:
- Interface - Specify the network card that the route applies to which is where the packets will come from.
- Destination - Specify the network address that the packets are going to such as 192.168.1.0.
- Network Mask - The subnet mask of the destination network
- Gateway - The IP address of the network card on the network that is configured to forward the packets such as 192.168.1.1.
- Metric - The number of routers that packets must pass through to reach the intended network. If there is more than 1, the Gateway address will not match the network address of the destination network.
Dynamic RoutingThree Windows 2000 supported Dynamic routing protocols are:
Routing Information Protocol (RIP) version 2 for IPA RIP Capable router periodically sends out announcements while simultaneously receiving announcements from its peers.This exchange of routing information makes each router able to learn what router exist on the network and which destination networks each of them how to reach.
Each route has an associated cost.RIP attempts to do least cost routing by searching its routing table to find the lowest cost route that will reach a particular destination.
RIP has two operation modes.In periodic update mode,a RIP router sends out its list of known routes at periodic intervals.In auto static mode the RRAS router only broadcasts the contents of its routing table when a remote router asks for it.
OSPFOSPF is also designed to allow routers to dynamically share routing data.
- Area border router - A router that interfaces to subnets in more than one OSPF area.
- Autonomous system - Routing areas that are administered by a single organization.
- Autonomous system boundary router - A router that connects an autonomous system to another autonomous system or the Internet.
- Backbone area - The main OSPF or root routing area that is connected to all other areas with an ID of 0.0.0.0 (ID number does not reflect any IP address).
- Internal router - Router that does internal routing.
- Internal routing - Routing done in one routing area.
- Routing area - A group of IP subnets connected by links with an ID similar to an IP address that is used to identify the area. In Active Directory, a routing area would likely be configured for each site. Passwords are used for each routing area.
Network Address Translation (NAT)It is used to allow one computer to masquerade on one interface for all other computers that are on another of its interfaces. It is not a firewall but adds security by allowing multiple computers to access the internet or an external network through it. External computers cannot directly contact computers on the network inside the NAT computer. The only registered interface is the interface on the NAT computer on the outside. If it is on the Internet, it must have a registered IP address. NAT must be set up to use an interface that is set for routing. The "Routing and Remote Access" administrative tool is used to install and configure NAT.
- Addressing - A server component that assigns IP address, net mask, gateway, and DNS server address to clients.
- Translation - Maintains NAT table for connections.
- Name Resolution - Acts as DNS server for internal machines on the network.
TCP/IP Packet FilteringControls the type of packets (based on port destination) that a routing interface will receive or forward. It is configured using the "Network and Dial-up Connections" folder by right clicking on the local connection and selecting "Properties". You can set specific TCP and UDP ports along with specific IP protocols. Each protocol has a protocol number listed in the protocol or protocols file. Some examples are TCP, UDP, ICMP, IGMP, and more.
IPSecIPSec stands for Internet Protocol Security and it is used to encrypt TCP/IP data so the information cannot be captured and understood by outsiders. It is used both on internal networks and between two private networks over the Internet to support virtual private networking (VPN).
- Transport mode - The data portions of the packet are encrypted.
- Tunnel mode - The data and address portions of the message are both encrypted and that packet is used in the data portion of a new packet of a new IP packet with a new address. It is used between two routers for VPN.
Supported Authentication Methods
- A shared secret such as a key or phrase.
- Certificates - The certificate can only be created using a private key and the certificate is verified using the public key. This way the certificate can be used for authentication.
EnablingEnabling IPSec is enabled on individual computers by using the "Network and Dial-up Connections folder". The "Domain Security Policy" administrative tool is used to enable IPSec on all computers or domain controllers in a domain. "Active Directory Users and Computers" can be used to set up a group policy object, which can enable IPSec on Windows 2000 computers in an organizational unit. IPSec can be managed by using the Microsoft Management Console (MMC) IP Cecurity Policy Snap-in.
IPSec RulesOne IPSec policy may be set for one computer, which includes one, or more rules which are applied from the most restrictive to the least restrictive.
- IP Filter - Defines the type of traffic the rule applies to.
- IP Filter Action - Determines how the type of traffic is handled such as requiring encryption, requesting encryption for outgoing traffic, or allowing traffic that is not encrypted.
- Authentication Method - Three methods are Windows 2000 default, Keberos 5, or use an encryption key.
- Tunnel Setting - Determines whether IPSec will work in transport ("This rule does not specify a tunnel") or tunnel mode ("The tunnel endpoint is specified by this IP address").
- Connection Type - Determines if the rule applies to the local area network, all network connections or to remote access.
IPSec policy is set using "Active Directory Users and Computers". The Security Monitor tool is used to monitor IPSec. Although it is a graphical tool, it can be started from the command line by typing "Ipsecmon" followed by the name of the computer to be monitored.
Used to manage and issue security certificates which are used for providing secure web connections between the web client and the web server. The "Add/Remove Programs" applet in the control panel may be used to add Certificate Services.
Terms:Terms used are
- Certificate Authority (CA) - An organization that is trusted to issue certificates.
- Enterprise root CA - The first and most trusted CA on the network requires the use of Active Directory.
- Enterprise subordinate CA - Subordinate to the enterprise root CA requires the use of Active Directory.
- Stand-alone root CA - A root for the certificate hierarchy and does not require Active Directory.
- Stand-alone subordinate CA - Subordinate to the stand-alone root CA and does not require Active Directory.
- Public Key Infrastructure (PKI) - Implemented when certificates are used.
- Public Key
- Private Key
How users get Certificates
- Windows 2000 users can use the MMC Certificate snap-in command line utility by typing "mmc" on the command line.
- Access http://CA_server_name/certsrv with a web browser.
- Administrators can set group policy so computers request certificates automatically when they are required using the administrative tool "Active Directory Users and Computers".
Understanding Windows Internet Naming System(WINS)
Provides name resolution for clients running Windows NT and earlier versions of Microsoft operating systems. With name resolution, users can access servers by name, instead of having to use IP addresses that are difficult to recognize and remember.
The purpose of WINS is to allow a NetBIOS name to be mapped to an IP address. Therefore computers using WINS must be using NBT (NetBIOS over TCP/IP). WINS was originally put in place to compensate for a shortcoming of NetBEUI which is the fact that it is not routable. Therefore on large Networks IP is used to transport NetBIOS and rather than using broadcasts, information is sent to the WINS server.
WINS maps Windows computer names to IP addresses but does not do name lookups based on IP addresses. The use of Windows Explorer or NET commands invokes the NetBIOS interface. NetBIOS names, if repeated on another domain that is on the network, may cause a problem since there is no way to distinguish NetBIOS names between two domains. Each computer, when booted, sends a name registration broadcast. If there is no response, the computer will use the name it registered. A NetBIOS broadcast releases the computer name when the computer is shutdown gracefully. WINS reduces this broadcast traffic when using NBT. The registration and release is sent to the WINS server rather than being broadcast. The clients have the IP address of the WINS server and they are configured to use WINS before using NetBIOS broadcasts. A backup WINS server may be available on the network for fault tolerance.
Five NBT Name Resolution Methods
- B-node - broadcast - Uses UDP broadcast data grams. Default node type.
- P-node - Peer to peer - Uses a Net BIOS name server such as WINS. If a WINS server is not available, broadcasts are not used as a backup. The WINS IP address must be specified at each client.
- M-node - Mixed - Tries B-node, then P-node resolution.
- H-node - Hybrid - Tries P-node, then B-node resolution. After this attempt for Windows 2000, LMHOSTS and HOSTS files are used, and then the DNS server is used.
- Microsoft enhanced B-node - Checks address cache, which is loaded from the LMHOSTS file when the system boots. After checking address cache, a broadcast is sent, then the LMHOSTS file is checked if broadcasting did not resolve the query.
NetBIOS NamesOn the WINS server, there is a NetBIOS name for each service a NetBIOS computer offers. This uses the 16th hidden character of the NetBIOS names. Up to 25 records of groups, domain browsers, and multihomed computers may be registered.
WINS OperationWhen a NetBIOS broadcast is to go out, a computer sends over TCP/IP to a WINS server to resolve NetBIOS names. WINS dynamically builds its database. When a client uses WINS it announces to the WINS server over TCP/IP rather than broadcasting to all computers
- Client Name Registration - When a client service is started, the appropriate NetBIOS name for that service, for all NetBIOS processes (Using the hidden 16th byte) is sent to the WINS server. If the registration fails, the client retries every ten minutes. If the primary WINS server fails to respond, the request is sent to the secondary WINS server after three tries. If no WINS server responds, B-node broadcasts are used by the client. When contacted, the WINS server returns a time to live (TTL) field containing the length of time the client may use that name. If a duplicate name is received, the server sends a wait for acknowledgement (WACK) to the registering client. Then a challenge is sent by the server to the registered client. If the current owner responds correctly, the new client request is rejected.
- Client Lease Renewal - When the name lease is at 50%, the client sends a name renewal request to the WINS server with its name and IP address. When the lease is 7/8 up, the client will try again then attempt a lease with the secondary WINS server. After 4 attempts with the secondary WINS server, it attempts lease renewal with the primary WINS server again.
- Client Name Release - The client sends a name release message with its name and IP address. The server responds with a positive release message. If the client receives no confirmation a NetBIOS broadcast release is sent up to three times.
- Server Name Query and Name Resolution response - With WINS server on the network, resolution is done using H-node on UDP port 137 (NetBIOS Name Service). Name query order:
- Local cache
- WINS server (primary then secondary, two times).
- LMHOSTS file
- HOSTS file
WINS DatabaseWhen a client is turned off, it releases its name, but there is a WINS extinction interval that allows the record to remain for some period of time in case the client is turned on again (as in the case of a reboot). The extinction interval reserves the record for some period so other clients cannot use it until the interval expires. WINS files are in SystemRoot\System32\Wins. A file names WINS.MDB is used to store a WINS database, which can be backed, up and repaired. The WINS service will back up the database every three hours (by default) to the configured backup path. Version numbers can be used to backup minor changes. The only way to replace a new copy with an older copy is to delete the old database copy first. The easy way to restore a database is to force replication from a WINS partner with a good copy of the database.
The database contains the following records:
- Renewal interval - Equivalent to the DHCP lease interval, it is the amount of time for the client to re-register the NetBIOS name before it is released.
- Extinction interval - The time a release record exists before being tombstoned.
- Extinction timeout - The time a tombstoned record exists before being erased.
- Verification interval - The time an active record exists before being verified with the name owner.
WINS Proxy AgentA WINS proxy agent can be configured to act as a relay for non-WINS clients. The WINS proxy agent can intercept client broadcast requests, forward them to a WINS server and return the response. It may also reply with the response without contacting the WINS server if the required information is in its cache. One WINS proxy is used on each subnet that has non-WINS clients. This means that machines that are not using WINS (Even Windows machines such as those without TCP/IP) can use a proxy agent to let them find resources on other subnets. There should be a maximum of two proxy agents per subnet. The agent must be a Windows based client, not a server. When NetBIOSs names are registered, both the proxy agent and the WINS server checks the name. The proxy agent is configured at the following registry location:
WINS ReplicationWhen two WINS servers are configured to communicate with each other replication occurs any time the data base on one of them changes. Servers are configured as a push or pull partner. A server can be both a push and pull partner. Push partners send update notices when a database change is made. A pull partner asks push partners for database entries more recent than their current listings. Only changes are replicated. Pull servers are used across slow links since pull requests can be set for specific times.
- A pull server will pull updates when it is started, then at chosen times thereafter.
- A push partner will send updates when a change threshold is reached. A threshold and update interval may be set.
Now that you've gotten free know-how on this topic, try to grow your skills even faster with online video training. Then finally, put these skills to the test and make a name for yourself by offering these skills to others by becoming a freelancer. There are literally 2000+ new projects that are posted every single freakin' day, no lie!