Académique Documents
Professionnel Documents
Culture Documents
Implementing,
Managing, and
Maintaining a
Microsoft® Windows®
Server 2003 Network
Infrastructure:
Network Services
Course Outline
Main routing
components include:
Routing interface
Routing protocol
Routing table
What Are Routing Interfaces?
LAN LAN
Corp Remote
Corp
Net Site
Net
Remote Access Using
VPN Tunnel
Corp
Net
How to Enable and Configure the
Routing and Remote Access Service
Outbound Filter
Pack Rout
et er
Component Example
Source
network 192.168.0.48 Inbound
Destination Exclusion Filter
192.168.0.32
Component Example
network Source
Any
Protocol UDP network
Destination
192.168.0.32
network
How filters are Protocol UDP
applied:
AND is used within
a filter Action: Drop
OR is used
between filters
How to Configure Packet Filters
DHCP Client2:
Non-DHCP Client: IP configuration
Static IP from DHCP server
configuration
Lease Renewal
Lease Generation
DHCP Server
DHCP
Server2
DHCP DHCP
Server1 Client
DHCP
Server2
DHCP Client
DHCP
Server1
87.5%
100%
50% ofof
of
lease
duration
has
expired
If the
If the client
client
DHCP fails
fails
Client to renew
to
sends renew its lease,
it’s lease, after
a DHCPREQUEST
DHCPREQUEST after
client sends a
1
50%
87.5% ofof
the
packet thelease
leaseduration has expired,
has expired, then the then
DHCP
theDHCPlease
DHCP generation
lease
Server1 sends process
renewal aprocess
DHCPACK starts over
will begin
2
again
again with
aftera87.5%
packet DHCP of client broadcasting
the lease durationahas
DHCPDISCOVER
expired
How to Add a DHCP Server
Service
DHCP Server
LAN A LAN B
Scope Scope
A B
Scope Properties
Network ID Lease Scope name
Subnet mask duration
Router Exclusion
Network IP range
address
range
How to Configure a DHCP Scope
Subnet A Subnet B
DHCP
Workstat
Server
IP Address1: Leased to ion 2
Workstation 1
IP Address2: Leased to
Workstation 2
IP Address3: Reserved for File
and Print Server
How to Configure a DHCP
Reservation
Scope A Scope B
Rout
er
Windows Windows
XP XP
DHCP option
DHCP option
applied at the
applied at the
reserved-client
server
scope level
level
level
How DHCP Class-level Options Are
Applied
Rout Rout
er er
Scope A Scope B
Windows Windows
XP XP
DHCP option
applied at the
class level
How to Configure DHCP Options
Unicast
Broadcast Broadcast
Subnet A Subnet B
Routers
Non-RFC
1542
Compliant
Clie Clie Clie Clie
nt nt nt nt
How a DHCP Relay Agent Works
DHCP
DHCP Relay Agent
Server
Clien Clien
Clien t2 Router
Non-RFC 1542 Compliant t3
t1
DHCP Relay
Agent 2
Hop
Count = 2
DHCP Relay Agent 1
DHCP
Server
How a DHCP Relay Agent Uses
Boot Threshold
The boot threshold is the length of time in
seconds that the DHCP Relay Agent will wait for
a local DHCP server to respond to client
requests before forwarding the request
DHCP
Boot Server 2
Threshold
= 10
DHCP Relay Agent
seconds
Local DHCP
Server
DHCP
Server 3
How to Configure a DHCP Relay
Agent
DHCP Offline
Server Restore Storage
DHCP
Back Restore
up
DHCP Back
up
In the
If
The the
DHCP
administrator
original
eventservice
that
database
the
automatically
moves
server
isaunable
copy
hardware
backs
of
tothe
load,
fails,
up the
DHCP
backed
the administrator
database
service
up DHCPautomatically
to
database
can
the restore
backup
torestores
an
only
directory
offline
from
fromon
thethe
the local
backup
storage
offline storage
directory
location
drive location
on the local drive
How to Back Up and Restore a
DHCP Database
Detailed IP
DHCP address
lease Compares
Database informatio information to
Summary
n find
IP address inconsistencie
Registry s
lease
informatio
n Reconciles
inconsistencie
DHCP Server s in the DHCP
database
Example
Summary Detailed Reconciled DHCP
information information database
Client has IP IP address
Create an active
address 192.168.1.34
lease entry
192.168.1.34 is available
How to Reconcile a DHCP
Database
DHCP Server
Name
Resolution
Computer44 Service
1
Where is
the 192.168.1.2002
Compute
r44 file?
Computer44
What Are Host Names?
Server1 = 192.168.0.66
server1.training.nwtraders.msft.
Server2
How to View Names on a Client
Client NetBIOS
Resolver DNS Lmhost File
Name Cache WINS Broadcast
Cache/Host
s File
1Salescomputer2 2192.168.1.35
What is the
IP address
for
Salescompu
ter2? 3
Salescomputer2
Computer1
NetBIOS
Name CacheWINS BroadcLmhosts File
ast
Salescomputer2
1 192.168.1.35 2
What is the
IP address
for
Salescompu
ter2?
3
Salescomputer2
NetBIOS name resolution is
the process of mapping a
NetBIOS name to an IP
address
NetBIOS Name Cache
A NetBIOS name cache is a location in memory that
stores NetBIOS names that have recently been
resolved to IP addresses whether through a WINS
server, broadcast, or Lmhosts file
Computer1
Broadcast
Broadcast
Router
1
Root Domain
Second-Level nwtraders
Domain
FQDN:
server1.sales.south.nwtr sales Host: server1
aders.com
Standards for DNS Naming
A-Z
a-z
0-9
Hyphen (-)
RSE_PPTLogo2
How to Install the DNS Server
Service
Root “.”
Resource
Record
.com
.edu
Resource
Record
Recursive query
for
mail1.nwtraders
.com
172.16.64.11 Database
Cluster of Cluster of
DNS Servers Root (.) Servers
Root Hints
com
DNS Server
micros
Computer1
oft
How Iterative Queries Work
An iterative query is a query made to a DNS server in
which the DNS client requests the best answer that
the DNS server can provide without seeking further
help from other DNS servers. The result of an
iterative query is often a referral to another DNS
server lower in the DNS tree
Iterative Query
Local Root Hint (.)
Ask 1
DNS Server Iter.com
ative
om
der ry for
Query
s.c
Ask .com
nwtr
nw que
ader 2
1
Itesr.co
4.1
tra
m ativ
il1. ve
Aut eQ
6.6
hor uer
ma cursi
itat y
ive
2.1
Res
pon
Re
17
se
3
Computer1 nwtraders.com
How Forwarders Work
Query
Ask n
Qu
wtra .com
ders.
4.1
ive
com
6.6
Iter
rs
ativ
cu
2.1
Aut eQ
hor
Re
itat uer
y
17
172 i ve
.16. Res
64.1 pon
Rec 1 se
u
mai rsive q
l1.n
wtra uery fo nwtraders.com
Local d ers. r
com Computer1
DNS Server
How DNS Server Caching Works
Caching Table
IP
Host Name TTL
28
Address
clientA.contoso 192.168.
second
.msft. 8.44
ClientA is s
Where’s
at
192.168.8
Client A?
.44
ClientA
Client1 ClientA is
at
Where’s
Client2 192.168.8
Client A?
.44
Caching is the process of temporarily storing
recently accessed information in a special memory
subsystem for quicker access
How to Configure Properties for the
DNS Server Service
DNS
DNS DNS ClientC
ClientA ClientB
A resource record (RR) is a standard DNS database
structure containing information used to process DNS
queries
A zone is a portion of the DNS database that contains the
resource records with the owner names that belong to the
contiguous portion of the DNS namespace
What Are Resource Records and
Record Types?
Nwtraders
Zones Description
Read/Write
Read/write copy of a DNS
database
Primary
Read-Only
Read-only copy of a DNS
database
Secondary
Copy of
limited Copy of a zone containing
records limited records
Stub
How to Change a DNS Zone Type
Namespace: training.nwtraders.msft.
DNS 192.168.
Forwa Client1
DNS 2.45
192.168.
DNS Server Authorized rd Training
for training Client2 2.46
zone DNS 192.168.
Client3 2.47
192.168.2 DNS
.45
Rever 1.168.19 192.168.2 Client1
DNS
se 2.in- .46 Client2
zone addr.arpa 192.168.2 DNS
.47 Client3
DNS Client2
=?
192.168.2.
46 = ?
DNS
Client3
DNS
DNS
Client1
Client2
How to Configure Forward and
Reverse Lookup Zones
SOA
1 query for a zone
SOA
2 query answered
IXFR
3 or AXFR query for a zone
IXFR
4 or AXFR query answered
(zone transfer)
Secondary Server Primary and
Master Server
How DNS Notify Works
Resource
Destination Server 1 record is Source Server
updated
2 SOA serial
number is
updated
3DNS notify
4Zone transfer
Secondary Server Primary and
Master Server
How to Configure DNS Zone
Transfers
1
2
Window Server 2003
IP Address LeaseDHCP Down-
Running DHCP level Client
How to Configure DNS Manual and
Dynamic Updates
DNS zone
type
Non Active
Benefit
Directory-
Does not require Active
integrated
Active Directory
Stores DNS zone data in Active
zone
Directory- Directory and is thus more
integrated secure
zone
Uses Active Directory
replication instead of zone
transfers
Allows only secure dynamic
updates
Uses multi-master instead of
single master structure
An Active Directory-integrated DNS zone is a
DNS zone stored in Active Directory
How Active Directory-Integrated
DNS Zones Use Secure
Dynamic Updates
A secure dynamic update is a process in which a client
submits a dynamic update request to a DNS server, and
the server attempts the update only if the client can
prove its identity and has the proper credentials to make
the update
Find authoritative server
DNS Client
running Local
Windows XP Result DNS Server
Find au
thoritat
ive
Rseesruvlet r
Attemp
t non-s
ecure u
Refus pdate
Secure
updeadt
e nego
Accept tiation
ed
1. The
preferred
DNS
server is
the one
that the 4. The preferred and
client tries alternate DNS
first servers specified on
the Properties page
automatically
appear at the top of
2. If the preferred this list, and
server fails, the preferred and
client tries the alternate servers
alternate DNS are queried in the
server order they are listed
How Suffixes Are Applied
server1.south.nwtraders.com
server1.nwtraders.com
Connection
Specific
RSE_PPTLogo2
Suffix
How to Configure a DNS Client
Namespace:
The administrator, training.nwtraders.msft
at
the nwtraders.com
level of the DNS server
namespace,
delegates authority
for
training.nwtraders.co
m and offloads training.nwtraders.msft
administration of DNS
for that part of the
Training.nwtraders.co
namespace
m now has its own DNS server
administrator and
DNS server to resolve
queries in that part of
the
namespace/organizati training.nwtraders.msft
on
Delegation is the process of assigning authority over
child domains in your DNS namespace to another entity
by adding records in the DNS database
How to Delegate a Sub-domain to
a DNS Zone
C C
ach ach Zone
e e Authoritative
DNS Client DNS Server1 DNS Server2TTL set
on the zone
7-days 7-days
Aging
How to Configure Aging and
Scavenging
Authoritative zone:
training.nwtraders.msft
WINS
Server
Subnet 2 WINS
Datab
ase
WINS
Client
Subnet 1
WINS
Proxy
What Is a NetBIOS Node Type?
Node Registr
Description
type y value
Uses broadcasts for name
B-node 1
registration and resolution
Uses a NetBIOS name server
P-node such as WINS to resolve NetBIOS 2
names
Combines B-node and P-node,
M-node but functions as a B-node by 4
default
Combines P-node and B-node,
H-node but functions as a P-node by 8
default
How a WINS Client Registers and
Releases NetBIOS Names
Name
Registered
Name
Released
2 Registered
How a WINS Server Resolves
NetBIOS Names
Up to 3
attempts WINS Server A
ClientA 1
Subnet 2
Subnet
1 2
WINS Server B
3 Subnet 2
he
Theregistered
service
The Displays
IPthat
The
The
address
NetBIOS
WINS
registered
state
“x”
that
server
of
name,
A
tounique
the
indicate
corresponds
the
database
which
from
entry,
Shows
hexadecimal
whether
which
can
including
when
to
entry,
be
the
the
a
the
the
unique
entry
registered
which
number
entry
the
entry
originates
can
is
that
will
be expire
the WINS
ame,
hexadecimal
or
name
a group,
static
active,
typeand
internet
identifier
released,
displays
server
group,
“null”
or
assigns
tombstoned
or multihomed
or during
is blankname
ifcomputer
theregistration
entry is not static
What Is a Static Mapping?
Administrator enters
computer
name-to-IP address
Non-WINS Clients entry WINS Database
How to Add a Static Mapping
Entry
HostA HostB
How Push Replication Works
Subnet 1 1 Subnet 2
50 changes
occur in
database
Subnet 1
Subnet 2
Property Description
Enable automatic As WINS servers are discovered
partner joining the network, they are
configuration added as replication partners
Enable persistent Increases the speed of replication
so that a server can immediately
connections send records to its partners
Enable overwrite If presented with both a static and
unique static dynamic-type entry for the same
mappings at this name, the static mapping is
server (migrate on) overwritten
How to Configure WINS
Replication
Implementing IPSec
Implementing IPSec with Certificates
Monitoring IPSec
Lesson: Implementing IPSec
Active
1 Directory
IPSec IPSec
Policy Policy
Security
Association
Negotiation
(ISAKMP)
2
TCP TCP
Layer Layer
IPSec IPSec
Driver Driver
3 Encrypted IP
Packets
What Is an IPSec Security Policy?
What Is a Certificate?
Common Uses of Certificates
Why Use Certificates with IPSec to Secure
Network Traffic?
Multimedia: Certificate Enrollment
How to Configure IPSec to Use a
Certificate
What Is a Certificate?
Certificates:
Securely bind a public key to the
entity that holds the corresponding
private key
Are digitally signed by the issuing
certificate authority (CA)
Verify the identity of a user,
computer,
or service that presents the
certificate
Contain details about the issuer
Common Uses of Certificates
Internet
Authentic Encrypting
ation File
System
Digital
Signatures Secure E-
IP Security Mail
Smart
Card Software
Logon Code
Signing
Why Use Certificates with IPSec
to Secure Network Traffic?
IP Security
• To allow an enterprise to
interoperate with other organizations
that trust the same CA
• When you need a higher level of
security than provided by the
Kerberos protocol or preshared keys
• For clients that are not part of an
Active Directory structure or do not
support the Kerberos protocol
Multimedia: Certificate
Enrollment
IP Security Monitor
Guidelines for Monitoring IPSec
Policies
How to Stop and Start the IPSec
Services
How to View IPSec Policy Details
IP Security Monitor
Wireless Dial-up
Access
Point NetworkClient
access
service
Network access
clients
Wireless Authentication
Client service
Active Directory (not
Configuration Requirements for a
Network Access Server
2 1
VPN Server
Domain
Controller
VPN
Client
2 VPN server
answers the call 4
VPN server transfers
data
Components of a VPN Connection
VPN Tunnel
Tunneling
VPN Protocols
Tunneled
Server Data
VPN
Domain Client
Controller Authentica Transit
Network
tion
Remote Remote
Access Server Access Server
Remote User to Branch Office to Branch
Corp Net Office
Configuration Requirements for a VPN
Server
Remote Access
Server
Domain
Controller
Dial-up
Client
1 3
Dial-up client calls RA server authenticates
the RA server and authorizes the client
2 RA server
answers the call 4 RA server transfers
data
Components of a Dial-up
Connection
WAN Options:
Telephone, ISDN,
Domain X.25, or ATM Dial-up Client
Controller
Authentication
DHCP
Server Address and Name Server Allocation
Authentication Methods for a
Dial-up Connection
Mutual Authentication
Remote
Access Server Remote
Access
User
Strongest method: EAP-TLS with
smart cards
Configuration Requirements for a
Remote Access Server
IAS
Server
Standard Description
Infrastruct Clients connect to
ure WLAN wireless
Network access
wirelesspoints
Wireless Peer-to- clients communicate
Access Point peer directly with each
Wireless WLAN other without the use
Client of cables
Components of a Wireless
Connection
Authenticati Remote
Access
on Server
Port
s
Domain
Controller
DHCP Wireless
Server Access
Point
Wireless
Address and Name Client
Server Allocation (Station)
Wireless Standards
Standa
rd Description
A group of specifications for WLANs developed by IEEE
802.11 Defines the physical and MAC portion of the OSI data-
link layer
11 megabits per second
802.11
Good range but susceptible to radio signal interference
b
Popular with home and small business users
Transmissions speeds as high as 54 Mbps
Allows wireless LAN networking to perform better for
802.11 video and conferencing applications
a
Works well in densely populated areas
Is not interoperable with 802.11, 802.11b, 802.11g
802.11 Enhancement to and compatible with 802.11b
g 54 Mbps but at shorter ranges than 802.11b
Authenticates clients before it lets them on the network
Can be used for wireless or wired LANs
802.1x
Requires greater hardware and infrastructure
investment
Authentication Methods for
Wireless Networks
802.1x
Authentication Description
Methods Provides mutual authentication
Uses certificates for server
EAP-MS-CHAP v2 authentication and password-
based credentials for client
Provides mutual authentication and is
authentication
the strongest method of
EAP-TLS authentication and key determination
Uses certificates for both server and
client authentication
Provides support for EAP-TLS and
PEAP EAP-MS-CHAP v2
Encrypts the negotiation process
Configuration Requirements of a
Windows XP Professional Client for
Wireless Network Access
Authentication
Encryption
Advanced Settings
Remote
Access
User
How Remote Access Policies Are
Processed
START Go to next
Yes No policy
What Is RADIUS?
What Is IAS?
How Centralized Authentication Works
How to Configure an IAS Server for
Network Access Authentication
How to Configure the Remote Access
Server to Use IAS for Authentication
What Is RADIUS?
Communicates to
4 the RADIUS client to
grant or deny access
RADIUS
2
Forwards
Client
requests to a Domai
RADIUS n
server Contro
ller
Remote
Access
Clie Server
nt RADI
US
Serve 3
Authenticates
r requests and
Dials in to a local
1 RADIUS client to gain
stores
accounting
network connectivity information
How to Configure an IAS Server for
Network Access Authentication
5 1
2 3
4
Tool Description
Provides a way to view real-time
performance data that is targeted
System Monitor
toward specific components and
services
Enables you to capture specific
Performance
Logs and Alerts performance data for components
and services
Wireless Provides details about wireless
Monitor network access points and clients
How to Monitor Wireless Network
Activity
7-days 7-days
Jan 1 Jan 8 Jan 15
Refres
Time No- h Scave
stampe Refresh Interva nge
d Interval l
Aging
Scavenging process:
The
Active
Released
Namesactive
names
marked
names
names
that
for
that
that
are
deletion
the
replicated
theWINS
WINS
for
thatwhich
server
are
server
from
6
5
4
3
2
1
7 The
Names
owns
other
the scavenging
server
marked
replicated
Extinction
and
servers
replicated for
from
starts
for
timer
which
fromand
up
deletion
other
timeout
for
other
and the starts
which
servers
isareRenewthat
when
Extinction
has
servers
equal the are
expired
and
to
arehalf
thewhich
for
removed
Interval
Verification
interval
are
the
the
fromdeleted
Extinction
Renewal
the has and
expired
interval
database timeout
removed
interval hashas
marked
from
expired
expired
the for
asareare
released
revalidated
deletion and removed from the database
database
deleted
How to Scavenge the WINS
Database
WINS Server
WINS Server
WINS Server
How to Check for Consistency on a
WINS Database