70 291

70-291
Introduction
As you study this section, answer the following questions:
When might you need to analyze and monitor network traffic?

How can Network Monitor help you analyze network traffic?
What is the difference between a counter, a filter, and a trigger?
After finishing this section, you should be able to complete the following tasks:
Configure, capture, and display filters using Netmon.

Enable dedicated capture mode.
Increase Netmon buffers and reduce frame size in a capture.
This section covers the following exam objectives:
303. Troubleshoot network protocol security. Tools might include the IP Security
Monitor MMC snap-in, Event Viewer, and Network Monitor.
501. Monitor network traffic. Tools might include Network Monitor and System
Monitor.
Network Monitor and System Monitor

Two common tools, Network Monitor and System Monitor, are useful in monitoring your
system. While both can be used to gather some information related to network
performance, Network Monitor is the tool you will use most often to analyze network
traffic and gather information about communication between two computers. The
following table compares the features of Network Monitor and System Monitor.
Characteristic
Network Monitor
System Monitor
Data collected
Captures packets (or packet

fragments) and their contents.
Reports statistics about network
traffic.
Monitors system statistics,

producing counters and charts of
system performance.
Monitors local system components
including disk, processor, memory,
and network statistics.
Data reports
View contents of sent and received View graphs of system performance

packets.
and counters.
View network traffic statistics.
Event tracking
Configure triggers to stop capture Configure alerts to log an entry,
or execute a command based on a send a message, or run a program

specific network traffic event (or when a counter reaches a specific
packet type).
threshold.
Identifying
captured data
Configure filters to capture only Select objects and counters to

specific packets or to display only identify the statistics you want to
certain packets.
track.
You should know the following facts about Network Monitor:
The free version of Network Monitor that comes with Windows can only monitor
traffic to and from the local computer.
To capture all network packets, use the SMS version of Network Monitor.
Even when using the SMS version, you cannot capture packets sent to other
computers on other segments through a switch. (Switched traffic is only sent to
the segment where the destination computer sits.)
Use Dedicated Capture mode with Network Monitor to ensure you capture all
packets.
Client Configuration
What is the purpose of an IP address?

What is the purpose of a subnet mask?
What is the purpose of a default gateway?
Configure basic TCP/IP settings on a client.

Differentiate between host addresses, network IDs, or broadcast IDs.
101. Configure TCP/IP addressing on a server computer.
TCP/IP Configuration Settings

The following table summarizes many of the configuration settings for a TCP/IP network.
Parameter
Purpose
IP address
Identifies both the logical host and logical network addresses.
Subnet mask
Identifies which portion of the IP address is the network address.
Default
gateway
Identifies the router to which packets for remote networks are sent.
Host name
Identifies the logical name of the local system.
DNS server
Identifies the DNS server that is used to resolve host names to IP

addresses.
WINS server
Identifies the WINS server that is used to resolve host names to IP

addresses.
MAC address
Identifies the physical address. On an Ethernet network, this address is

burned in to the network adapter hardware.
Keep in mind the following regarding TCP/IP configuration:
All computers must be assigned a unique IP address.

Hosts on the same physical network should have IP addresses in the same address
range.
The subnet mask value for all computers on the same physical network must be
the same.
Configure the default gateway value to enable internetwork communication.
The default gateway address must be on the same subnet as the host's IP address.
IP Addressing
What are the four ways to assign an IP address?

What happens if any of the methods fail?
Configure a client to use DHCP.

Configure a client using Alternate IP Configuration.
Choosing the Addressing Method

The table below lists options for assigning IP addresses.
Method
Uses
Static (manual)
assignment
Small number of hosts.

Network will not change or grow.
Hosts that must have the same address each time.
For small networks (if the administrative time and cost is acceptable).
For non-DHCP hosts (hosts that cannot accept an IP address from
DHCP).
To reduce DHCP-related traffic.
APIPA
Single-subnet network.
No DNS services.
Automatic configuration of IP address and subnet mask only.
Small, non-subnetted networks.
Implementation for which you do not need to customize the default
address range.
DHCP
Small, medium, or large networks.

Automatic configuration.
Automatically deliver additional configuration parameters (such as
default gateway, DNS servers).
Alternate
A single computer connects to two networks, one without a DHCP

server.
A computer is connected to a network using DHCP, but you want it to
be properly configured when the DHCP server is unavailable.
You should know the following facts about IP address assignments:
By default, all Windows computers try to use DHCP for TCP/IP configuration
information.
APIPA is used to automatically generate an IP address if the DHCP server is
unavailable and if no alternate address is configured.
The APIPA range is 169.254.0.1 to 169.254.255.255 with a mask of 255.255.0.0.
If the computer assigned itself an IP address (using APIPA), this means the
computer could not contact a DHCP server.
When you configure a static IP address, you disable DHCP and APIPA.
Use an alternate IP address to use DHCP on one network and static addressing on
another without reconfiguring the connection.
When you configure an alternate IP address, APIPA is no longer used when the
DHCP server can't be contacted.
You can rely on APIPA for your IP addressing solution, but only for a network
with a single subnet. APIPA does not set the default gateway or name server
address.
IP Addressing Facts
The following table lists the default IP addressing classes and masks:
Class Address Range
Default Mask
1.0.0.0 to 126.255.255.255
255.0.0.0
128.0.0.0 to 191.255.255.255 255.255.0.0
192.0.0.0 to 223.255.255.255 255.255.255.0
224.0.0.0 to 239.255.255.255 (multicast addresses)
240.0.0.0 to 255.255.255.255 (experimental addresses)
You should also know the following address ranges that are reserved for private
addresses. Use these addresses on a private network that is connected to the Internet
through a network address translation (NAT) router.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Keep in mind the following facts about IP addresses:
The first address in a range on the subnet is the subnet address. Typically, this
address is not assigned to hosts.
The last address in a range on the subnet is the broadcast address. Typically, this
address is not assigned to hosts.
Troubleshooting IP
What TCP/IP tools can you use for troubleshooting?

What is the difference between Tracert, Ping, and Pathping?
Which protocol do most of these tools use?
Use Ping, Tracert, Pathping, and Ipconfig to diagnose and correct TCP/IP
problems.
102. Troubleshoot TCP/IP addressing.

103. Troubleshoot DHCP.
Troubleshooting TCP/IP
Use the following tips to troubleshoot TCP/IP:
Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and
other IP configuration values.
If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the
computer could not contact a DHCP server. Use Ipconfig /renew to try contacting
the DHCP server again.
Use Ping (Packet Internet Groper) to send small packets to a computer to see if
the computer responds. Microsoft recommends the following use of Ping:
1. Ping the loopback address (127.0.0.1). This verifies that the TCP/IP
protocol stack has been properly installed.
2. Ping the local IP address assigned to the machine. This verifies
communication to the NIC.
3. Ping the default gateway. This verifies connectivity to the default gateway
or to another machine on the local network. This verifies that the local
network is accessible.
4. Ping a remote host. This checks the connectivity between the default
gateway and the remote host.
Use Tracert to see the route packets take through an internetwork between two
devices.
Use Pathping to view the route of the connection and the connectivity response
time. This can help identify where communication latency occurs.
Use the Arp -d * command to remove all dynamic ARP entries from the ARP list.
(Arp -d clears the ARP cache.)
Use the Windows system logs to track DHCP service startup and shutdown as
well as critical errors.
Configuring DHCP
What is a scope?
How can you change the subnet on a scope?
What two security features must be enabled for a DHCP server to function
correctly?
Install DHCP and create a simple scope.

Authorize a DHCP Server.

o Manage DHCP.
DHCP Authorization
Be aware of the following facts about DHCP server authorization.
Authorization is required if you are using Active Directory; no authorization is

required, however, for a standalone server.
When you authorize a DHCP server, its IP address is added to a list of authorized
DHCP server maintained in Active Directory.
When a DHCP server starts, its IP address is compared to the Active Directory
list. If it is found, the server is allowed to issue IP addresses. If it is not found, the
server is not allowed to issue IP addresses, and the server does not respond to
DHCP requests.
Only Windows 2000 or Windows 2003 servers check for authorization.
You can authorize a server before DHCP is installed.
Rogue DHCP servers running other operating systems (like Unix, NetWare, or
Windows NT) do not check for authorization before assigning addresses.
A Windows DHCP server checks for authorization when it boots and reauthorizes
every five minutes.
You must be a member of the Enterprise Admins group to authorize a server.
In some cases, when you install DHCP on a domain controller, it will be
authorized automatically.
When you install DHCP, the server is added automatically to the DHCP console
on the local machine. When it is installed on another machine, you must add it
manually to the local DHCP console.
Managing Scopes
What are the two ways to exclude IP addresses from a scope?

What information is necessary to configure a reservation?
What is the difference between a reservation and a manual IP assignments?
Create and activate scopes.

Configure exclusion ranges and reservations.

o Manage DHCP scope options.
Scope Facts
You should know the following facts about DHCP scopes:
Use exclusions to prevent the DHCP server from assigning certain IP addresses.
For example, exclude any IP addresses for devices that are not DHCP clients.
Use reservations to make sure a client gets the same IP address each time from the
DHCP server. The reservation associates the MAC address with the IP address the
client should receive. For example, use a reservation for servers and printers to
keep their IP addresses consistent while still assigning the addresses dynamically.
When using reservations, do not exclude the addresses you want to assign.
To change the subnet mask used by a scope, you must delete and recreate the
scope. You cannot selectively change the subnet mask in an existing DHCP scope.
The scope must be activated before the DHCP server will assign addresses to
clients.
Configuring DHCP Options

What is a DHCP option?

What is the benefit of using options?
What are some common options?
What is the order of precedence between all of the different option levels?
Configure server, scope, and user/vendor class options.

Design DHCP options to customize configuration and minimize administration.

o Manage DHCP.
o Manage DHCP scope options.
DHCP Option Facts

Through DHCP, you can deliver a wide range of TCP/IP configuration parameters (not
just the IP address and mask). Additional parameters are delivered by configuring DHCP
options. Options can be set at the following levels:
Server. Options set on the server are delivered to all clients of that DHCP server.
Scope. Options set on the scope are delivered to all computers that obtain an IP
address from within the scope.
Class. A class defines a group of computers that share common characteristics.
For example, the vendor class can be used to deliver options to Microsoft
Windows clients. Class options are delivered to all computers within the class.
Reserved client. Options set on a reservation are delivered to the specific client.
Options are applied in the order listed above. If conflicting settings are delivered, the last
parameters delivered will take precedence over the previous settings.
Common options include:
003 Router, the IP address of the default router (the default gateway)
006 DNS Servers, the IP address of DNS server or servers
015 DNS Domain Name, the domain that the client belongs to; used to update
DNS server
044 WINS/NBNS Servers, the IP address of WINS server or servers
046 WINS/NBT Node Type, controls the order in which a client uses NetBIOS
name servers
Managing the DHCP Server

How can you back up DHCP?

What is the purpose of conflict detection?
What is the purpose of NIC bindings?
Backup and Restore DHCP.

Move DHCP from one server to another.
Enable conflict detection.
DHCP Server Backup and Recovery

To move the DHCP service from one server to another, you must perform operations on
the source and destination machines.
Source machine:
1. In DHCP Console, back up DHCP. The backup includes:
o Scopes, exclusions, and reservations.
o DHCP configurations.
o DHCP-related registry settings.
2. Stop and disable the DHCP service.
3. Copy the DHCP backup files to the destination machine.
On the destination machine:
1.
2.
3.
4.
Install DHCP.
Stop the DHCP service.
In DHCP Console, restore the DHCP backup files.
Verify the DHCP configuration and start DHCP.
Troubleshooting DHCP
What are the steps of the DORA process?

What three ways can you provide IP addresses to all clients in a routed network?
What is a rogue DHCP server? What security is present in 2003 DHCP to prevent
this?
How can you detect rogue DHCP servers?
Detect and correct rogue DHCP server errors via client TCP/IP properties.
Troubleshoot DHCP address assignment.
DHCP Lease and Renewal Processes

A DHCP client uses the following process to obtain an IP address:
1. Lease Request. The client initializes a limited version of TCP/IP and broadcasts a
DHCPDISCOVER packet requesting the location of a DHCP server.
2. Lease Offer. All DHCP servers with available IP addresses send DHCPOFFER
packets to the client. These include the client's hardware address, the IP address
the server is offering, the subnet mask, the duration of the IP lease, and the IP
address of the DHCP server making the offer.
3. Lease Selection. The client selects the IP address from the first offer it receives
and broadcasts a DHCPREQUEST packet requesting to lease the IP address in
that offer.
4. IP Lease Acknowledgment. The DHCP server that made the offer responds and all
other DHCP servers withdraw their offers. The IP addressing information is
assigned to the client and the offering DHCP server sends a DHCPACK
(acknowledgement) packet directly to the client. The client finishes initializing
and binding the TCP/IP protocol.
Part of the IP address lease includes a lease duration (or the amount of time the client can
use the IP address it has been allocated). Periodically, DHCP clients try to renew their IP
address with the DHCP server. Microsoft clients use the following rules when renewing
leases:
When the lease time reaches 50%, the client tries to renew its lease with the
DHCP server. It sends a DHCPREQUEST unicast message to the DHCP server
requesting a lease renewal. If the DHCP server does not respond, it continues to
use the IP address.
When the lease time reaches 87.5%, the client sends a DHCPREQUEST unicast
message to renew the lease. If the DHCP server does not respond, it continues to
use the IP address.
When the lease time expires, the client broadcasts a DHCPREQUEST message to
renew the lease.
When the client boots, it broadcasts a DHCPREQUEST message to renew the
lease.
If the server sends a negative acknowledgement (a DHCPNAK packet) during
any renewal attempt, the client must reinitialize TCP/IP and restart the DHCP
lease at the beginning.
Enable BootP forwarding on routers to ensure that lease request broadcast packets
are forwarded through the routers.
The following table summarizes the packets exchanged between DHCP clients and
servers.
Message
Description
DHCPDISCOVER
Sent from client to server or servers to ask for an IP address. Used

when client starts or cannot renew current lease.
Requests a specific new IP address or renewal of its current IP

DHCPREQUEST address. Used to select one lease offer from among multiple offers or
to confirm a previous address lease.
DHCPOFFER
Offers to lease of an IP address to a client when it starts on the

network. Client can receive multiple offers from multiple DHCP
servers but usually selects the first.
DHCPACK
Sent from server to client to acknowledge and complete a client's

requested address lease. Contains IP address, lease duration, and
possibly other parameters.
DHCPNAK
Sent from server to a client when the requested IP address is not

available (negative acknowledgement).
DHCPDECLINE
Used by client to decline the offer of an IP address because of a

potential conflict.
DHCPRELEASE
Sent from client to server to release an IP address. Used to cancel a

currently active lease. Cancellation can be done manually with the
Ipconfig /release command.
DHCPINFORM
Used by a computer to obtain information from a DHCP server for use

in its local configuration. Used when the sender already has an IP
address, possibly not from DHCP.
Troubleshooting DHCP
For a Windows 2003 Server DHCP server to deliver IP addresses, the following
conditions must be met:
The server must be authorized.

The DHCP service must be running (the DHCP server is started).
The scope must be started.
There must be IP addresses in the scope that are free to be assigned, or a
reservation for the client must be defined.
The client must be configured to receive its IP address from the DHCP server.
One useful tool for troubleshooting and fixing DHCP lease problems is Ipconfig. The
following table lists the command switches useful in troubleshooting DHCP.
Command
Use
Ipconfig /all
View TCP/IP configuration including the IP address, mask, default

gateway, and any other DHCP-delivered parameters.
In addition, the command shows the IP address of the DHCP server from
which configuration information was received.
Ipconfig
/renew
Renew DHCP configuration for specific or multiple adapters.
Ipconfig
/release
Releases DHCP configuration and discards IP address configuration for

specific or multiple adapters.
An address IP address in the 169.254.0.0 range indicates that the client could not contact
the DHCP server and has used APIPA to assign itself an address.
You should recognize the following symptoms of a rogue server:
Incorrect IP configuration information.

Duplicate addresses assigned.
Ipconfig /all shows the DHCP server address incorrectly.
DHCPNAK messages at the client during lease renewal.
If the client has an address from the wrong server, remove the rogue server, then do
Ipconfig /release followed by Ipconfig /renew.
DNS Concepts
What is the purpose of DNS?

What are the steps in the client name resolution process?
What are the steps in a DNS server's name resolution process?
What is the purpose of subdomains?
Is a zone the same thing as a domain?
Identify the major components of DNS name resolution.

Explain the DNS name resolution process.
Create and manage DNS zones.
DNS Name Resolution Process

You should be familiar with the DNS name resolution process:
1. When a DNS name resolution request is forwarded to a DNS server, the DNS
server examines its local DNS cache for the IP address.
2. If the IP address is not in the DNS server's cache, it checks its Hosts file. (Since
the Hosts file is a static text file, it is not commonly used.)
3. If the DNS server is not authoritative and configured for forwarding, the DNS
server forwards the request to a higher-level DNS server.
4. If the DNS server cannot forward the request, or if forwarding fails, the DNS
server uses its Root Hints file (also known as Cache.dns). The Root Hints file lists
the 13 root DNS servers.
5. The root DNS server responds with the address of a com, edu, net, or other DNS
server type (depending on the request).
6. The DNS server forwards the request to the high-level DNS server, which can
respond with a variety of IP addresses.
You should know the following facts about DNS:
DNS translates a hostname to an IP address.

The DNS hierarchy is made up of the following components:
o . (dot) domain (also called the root domain)
o Top Level Domains (TLDs) (.com, .edu, .gov)
o Domains
o Hosts
A fully qualified domain name (FQDN) must include the name of the host and the
domain, not just the domain.
A forward lookup uses the host name (or the FQDN) to find the IP address.
A reverse lookup uses the IP address to find host name (or FQDN).
A DNS server can forward a DNS request to an upstream DNS server if it cannot
resolve a host name to an IP address.
An authoritative server is a DNS server that has a full, complete copy of all the
records for a particular domain.
A caching-only DNS server has no zone information; it is not authoritative for any
domains.
The Root Hints file (also called the Cache.DNS file) lists the 13 root DNS servers.
A DNS server uses the Root Hints file to forward a request to a Root DNS server
as a last resort to resolve a host name to an IP address.
A Root DNS server refers DNS servers to .com or .edu or .gov level DNS servers.
Recursion is the process by which a DNS server or host uses root name servers
and subsequent servers to perform name resolution. Most client computers do not
perform recursion, rather they submit a DNS request to the DNS server and wait
for a complete response. Many DNS servers will perform recursion.
Configuring DNS
What is a zone?
What is the difference between a standard primary and secondary zone?
How do standard primary and secondary zones differ from Active Directoryintegrated zones?
What is the difference between a zone and a domain?
What is a reverse lookup zone?
Install the DNS service.

Configure a DNS server with standard primary or secondary forward or reverse
lookup zones.
201. Install and configure the DNS Server service.

202. Manage DNS.
Zone Types
The table below lists the types of DNS zones:
Zone Type
Description
Standard primary
Host name-to-IP address name resolution.

Data is stored in a flat text file.
Read-write copy of the data.
Standard secondary
Host name-to-IP address name resolution.

Data is copied from another DNS server.
Read-only copy of the data.
Reverse lookup
IP address to host name resolution.

Can be both primary and secondary zones.
Active Directoryintegrated
Data is stored in Active Directory.

Data is shared between domain controllers.
Data is read-write on all servers with the data.
Provides automatic replication, fault tolerance, and distributed
administration of DNS data.
You should also know the following facts about zones:
To configure reverse lookup for a subnetted IP network, enable the Advanced

view in the DNS console.
Reverse lookup zones for IPv6 addresses should be created in the ip6.arpa
namespace.
Managing DNS Records

What are the seven most common resource records?

What three kinds of servers receive NS records?
What records are used to identify and locate domain controllers?
What is round robin DNS?
Create, track, and manage the seven most common resource records.
Troubleshoot resource records using the Netlogon service.
202. Manage DNS.

o Manage DNS record settings.
Common Resource Records

The table below lists the most common resource records.
Record Type
Use
A (host address)
The A record maps a DNS host name to an IP address. This is the most
common resource record type.
CNAME
(canonical
name)
The CNAME record provides alternate names (or aliases) to hosts that
already have an A record.
MX (Mail
Exchanger)
The MX record identifies servers that can be used to deliver mail.
NS (name
server)
The NS resource record identifies all name servers that can perform name
resolution for the zone. Typically, there is an entry for the primary server
and all secondary servers for the zone.
PTR (pointer)
In a reverse lookup zone, the PTR record maps an IP address to a host

name (i.e. "points" to an A record).
SOA (Start of
Authority)
The first record in any DNS database file is the SOA. It defines the
general parameters for the DNS zone. The SOA record includes
parameters such as the authoritative server and the zone file serial
number.
SRV (service
locator)
The SRV record is used by Windows 2003 to register network services.

This allows clients to find services (such as domain controllers) through
DNS. Windows 2003 automatically creates these records as needed.
Dynamic DNS Updates

How does dynamic DNS differ from standard DNS?

How do you enable dynamic updates on a DNS server?
What are secure dynamic updates?
How can DHCP be used to help the dynamic update process?
Configure DNS servers and clients for dynamic updates.

Configure a DHCP server to proxy dynamic updates.

202. Manage DNS.
Dynamic DNS Facts

For a Windows 2000/XP/2003 client, the following process is used to dynamically update
the DNS database.
1. The client boots and receives an IP address from the DHCP server.
2. The client sends a DNS update request to update the forward lookup record.
3. The DHCP server sends an update request to update the reverse lookup record.
For non-dynamic update clients, the DHCP server sends both the forward and reverse
lookup updates. You can also configure the DHCP server to perform both tasks for
Windows clients.
To enable dynamic updates, use the following steps:

1. On the Windows DNS server, open the Zone Properties dialog box and enable
dynamic updates.
2. In the TCP/IP Properties of the client, make sure dynamic DNS is enabled
(enabled is the default setting).
Note: You may also need to enable dynamic updates on the DHCP server if you're doing
dynamic updates by proxy.
You should know the following facts about secure dynamic DNS:
Secure dynamic updates are only available for Active Directory-integrated zones.
To use secure DDNS, a client must be a member of the same Active Directory
domain as the DDNS server.
Only the original client can alter or remove records when using secure DDNS.
Configuring DNS Clients

What is the purpose of listing multiple DNS IP addresses on the client?

What is a primary suffix?
What is a connection-specific suffix?
What is a parent suffix?
What is the suffix search order?
Identify the primary suffix using System Properties.

Configure a connection-specific suffix using advanced TCP/IP properties.
Specify a suffix search order.

o Configure DNS server options.
202. Manage DNS.
DNS Client Settings

DNS uses fully qualified domain names (FQDN) to identify a computer. FQDNs are
composed of the host name and the domain name (also called a suffix). Windows client
computers can be identified using two different DNS suffixes:
Primary suffix, set through the System properties.
Connection-specific suffix, configured through the TCP/IP properties for the

network adapter.
With dynamic DNS, client computers can update the DNS database with their host name.
Keep in mind the following facts about client dynamic updates:
By default, Windows 2000/XP/2003 clients register their DNS name with the
DNS server.
In the TCP/IP properties, Advanced settings, DNS tab, the Register this
connection's addresses in DNS setting controls whether the client dynamically
registers its name with DNS.
With dynamic DNS enabled on the client, the computer will register its full DNS
name from the configuration on the Network Identification tab of the System
applet (using the primary suffix).
You can configure the client to register two different DNS names with the DNS
server. To do this, in the TCP/IP properties, Advanced settings, DNS tab, identify
an additional DNS suffix for the client and enable the Use this connection's DNS
suffix in DNS registration option. When enabled, the client will register its name
with the connection-specific suffix as well as the primary suffix.
You can also configure the client with custom search suffixes.
By default, when you submit a DNS query without using the fully qualified
domain name (FQDN), the client computer appends the computer's domain to the
name to perform the DNS lookup. The client will also use parent suffixes to try
the request multiple times.
Edit the Advanced TCP/IP properties to customize the search suffixes. You can
specify search suffixes outside of the parent suffixes, and modify the order in
which suffixes are used for searches.
Active Directory-integrated Zones

What are some of the benefits of Active Directory-integrated (AD-I) zones?

How do AD-I zones integrate with other zone types such as primary or
secondary?
What are the four replication scopes of an AD-I zone?
How do AD-I zones integrate with non-Microsoft DNS?
How do you configure zone transfer with standard vs. AD-I zones?
Configure an Active Directory-integrated zone.

Configure replication scopes.
Disable zone transfers for AD-I zones.
Enable secure dynamic updates.

o Configure DNS zone options.
202. Manage DNS.
o Manage DNS zone settings.
AD-Integrated Zone Facts

Using Active Directory to manage zone information has the following advantages:
No single point of failure. Changes are made to multiple rather than individual
servers.
Fault tolerance. Each host server maintains up-to-date zone information.
Single replication topology. Zone transfers occur through Active Directory
replication.
Secure dynamic updates. Only authorized computers can update dynamically.
Simplified management. Any authorized computer can initiate changes to the
zone file (not just the primary server).
In Windows 2000, all DNS data is replicated with all domain controllers. With 2003, you
have the following options:
Replication Option Where data is replicated
2000 Default
All domain controllers in a domain receive the information whether

or not they have DNS installed.
DomainDNSZones
All domain controllers with DNS in the domain receive the

information.
ForestDNSZones
All domain controllers with DNS in the forest receive the

information. (Used most effectively when you have very important
records that need to be available throughout the forest.)
Application
Partitions
All domain controllers within the application partition. By using an

application partition, you can customize which domain controllers
will receive the DNS data.
Delegating Domains
What is domain delegation?

When would you need to delegate domain?
What records are created when you delegate a domain?
Delegate domains.

202. Manage DNS.
Managing Root Zones and Hints

What is the name resolution order for a DNS server?

Why would you want to create a zone named . (dot)?
What is the purpose of the root hints file?
Why would you delete the root hints?
What is the name and location(s) of the root hints file on a Windows 2003 server?
Configure or delete a root zone.

Configure other DNS servers to point to your server via root hints.
Replace a missing or corrupt root hints file.

202. Manage DNS.
Root Hint Facts

Keep in mind the following facts regarding root hints.
The Cache.dns file holds the 13 root hint addresses for the Internet root servers.
The Cache.dns file can be found in two locations:
o %SystemRoot%\system32\dns\Cache.dns (the copy in use)
o %SystemRoot%\system32\dns\backup\Cache.dns (the copy reserved in the
backup location)
If you have a root zone configured on a DNS server, the server will act as a root
zone server.
A DNS server configured as a root zone server will never use the root hints file
(Cache.dns). It considers itself authoritative. Consequently, the server won't
access the Internet to forward DNS queries.
If you want the DNS server to access the Internet, delete the root zone in the DNS
Console.
You can configure root hints through the properties of a DNS server or by
configuring the DNS server's Cache.dns file. If the server is configured to load
data from Active Directory, you must configure root hints using the DNS snap-in
because the local Cache.dns is not used (the root hints data is stored in AD).
Stub Zones and Forwarding

What configuration options do you have to control and manage name resolution?
How does conditional forwarding differ from standard forwarding?
How does a stub zone differ from a secondary zone?
How do conditional forwarders differ from stub zones?
Configure forwarding and conditional forwarding.

Configure a stub zone.

o Configure DNS zone options.
202. Manage DNS.
o Manage DNS zone settings.
Stub Zones and Forwarding Facts

You should know the following facts about DNS performance:
A stub zone holds copies of the following DNS record types:

o NS records for all DNS servers (primary and secondary).
o SOA record for the primary server.
o DNS A records (also called glue records) for the DNS servers.
A stub zone is dynamic. It will update itself with changes.
Use a stub zone to provide quick access to the name server list and to provide a
method of keeping the name server list updated without replicating zone data.
Conditional forwarding allows DNS queries to be forwarded to specific DNS
servers that have specific zones.
Conditional forwarding is static. You set up an IP address which handles a specific
type of query.
Conditional forwarding must be updated when changes to forwarders are made.
If a DNS server is configured to use forwarders, you can disable recursion on the
DNS server. This means the server submits requests to the forwarder and waits for
a response.
Zone Transfers
What is zone transfer?

What is the difference between AXFR and IXFR?
How do primary and secondary zones share zone data with other DNS servers?
What are the advantages of AD-I zones in relation to zone transfers?
Configure a caching only server.

Configure, manage, and troubleshoot zone transfers.
Enable zone transfers to named and listed servers.
202. Manage DNS.

203. Monitor DNS. Tools might include System Monitor, Event Viewer,
Replication Monitor, and DNS debug logs.
Zone Transfer Facts

Replication through standard zones takes place through zone transfers. Secondary servers
contact their master servers for new zone information. You should know the following
facts about zone transfers:
The zone serial number is modified when changes are made to the zone file.
Zone transfer is initiated when a secondary server checks the master server and
finds an incremented zone serial number.
Zone transfer notification occurs when the master server contacts the secondary
server when changes have been made.
By default, a DNS server replicates the entire zone database (called a full zone
transfer or AXFR).
A partial zone transfer, in which only the changed information is replicated, is
also called an incremental zone transfer or IXFR.
To initiate a manual transfer, increment the serial number first. Otherwise, no
transfer will occur (a transfer only occurs when the serial number has changed).
You can improve DNS performance by placing multiple DNS servers on your
network. For example, you can place a secondary server on the other side of a
WAN link to reduce WAN traffic caused by name resolution. However, zone
replication traffic must still cross the WAN link.
A caching only server runs DNS but has no zones configured. Use a caching only
server to improve performance while eliminating zone transfers.
An Active Directory-integrated zone stores DNS information in Active Directory

rather than in a zone file. Zone information is copied automatically when AD
replicates.
If a zone is Active Directory-integrated and has no secondary servers, you can
disable zone transfers. Zone data will continue to be replicated through Active
Directory.
Normally, zone transfers happen automatically at periodic intervals. You can force an
update of zone data through the DNS console or by using the Dnscmd command. The
following table lists some actions you can take to refresh zone data manually.
DNS
Console
Action
Dnscmd
Option
Result
Reload
Dnscmd
/ReloadZone
The server reloads zone data from its local copy (it reads the
data back in from the zone file on the hard disk).
Transfer
Dnscmd
from Master /Refresh
Initiates a normal zone transfer. The DNS server compares

its version number with the version of the zone master. If the
version numbers are the same, no zone transfer takes place.
Reload from
N/A
Master
The DNS server dumps its copy of the data and reloads the
entire data from the master server.
To force a zone transfer, you can either update the sequence number on the master server
and then transfer the data from the master, or you can simply reload the data from the
master.
Designing DNS
When using internal and external DNS, what are the three possible scenarios for
the DNS namespace?
What are the advantages and disadvantages of each of the three methods?
What are the four goals of any split namespace design?
Implement a split-brain DNS solution.

Design and manage a DNS solution.
DNS Design Guidelines

Keep in mind the following facts about DNS namespace design:
Active Directory requires DNS.
A split-brain DNS solution allows you to run internal DNS and external DNS that
don't communicate with one another. This helps to maintain internal security.
Following are three split-brain DNS configuration options:
o Set up the same DNS name internally and externally.
o Set up different DNS names internally and externally.
o Set up the internal DNS as a subdomain of the external DNS.
The purpose of a split-brain DNS solution is to:
o Allow external clients to access only external resources.
o Allow internal clients to access all resources.
The table below lists the split-brain DNS configurations.

Split-brain DNS
Configuration
Implementation
Same Internal and External

DNS Names
Set both DNS servers as primary to prevent zone transfer

traffic.
Allow internal client access to external resources by copying
external resource records to the internal DNS server.
Different Internal and

External DNS Names
To allow internal clients to access external resources, set up

a forwarder, either a regular forwarder or a conditional
forwarder.
One possible advantage is that you can run separate DNS

infrastructures (e.g., an external Unix infrastructure and an
Internal DNS Name as
internal Microsoft infrastructure).
Subdomain of External DNS One danger is that outside queries could include the internal
Name
namespace. Use the firewall to block these types of queries.
Set up a forwarder to allow internal clients to access
external resources.
DNS Solutions
You have a wide variety of tools to help you in designing a DNS solution. The following
table lists various zone types and configuration options and when to use each.
Solution
Use
Primary zone
Select a primary zone to manage zone data on non-domain controllers or

non-Windows DNS servers.
Secondary zone Select a secondary zone to copy read-only zone data from another server.
For example, your Windows server can be a secondary server to a nonWindows server, or a non-Windows server can be a secondary server to
an Active Directory-integrated zone. Secondary zone servers accomplish
three tasks:
1. Fault tolerance
2. Load balancing
3. Reduce name resolution traffic over WAN links
Use a reverse lookup zone to find the host name for a given IP address.
For example, use a reverse lookup zone if you need to identify the host
name of clients who connect to a server or services. Following are
Reverse lookup reasons to set up reverse lookup zones:
To use Nslookup by using the IP address.
zone
To use IP filtering in IIS.
To accommodate applications that rely on reverse lookups.
Use when you have DNS servers that are also domain controllers. AD-I
Active
zones allow multi-master updates to the DNS database, automatically
Directoryreplicate data through Active Directory (rather than conventional DNS
integrated zone replication), secures zone updates, and allow secure dynamic client
registration.
Caching only
server
Use to reduce DNS name resolution traffic over WAN links without the
zone transfer traffic.
Zone delegation
Use to subdivide a zone into multiple zones. This allows other

administrators to manage parts of your name space.
Forwarders
Use to send DNS queries to other servers when the current server does
not hold the data.
Conditional
forwarding
Use to forward DNS queries based on the domain name characteristics.

Without conditional forwarding, all requests are forwarded to the same
servers. With conditional forwarding, requests are forwarded based on
the domain name.
Stub zone
Use when you need to automatically update lists of name servers for a
domain but do not want to replicate zone data.
Root zone
Use to make your DNS server authoritative for the entire name space. For
example, you can configure a root zone to prevent name queries from
being forwarded to the Internet root zone servers.
Root hints
Root hints point to the root zone servers. Normally root hints point to the
Internet root zone servers. If you have a custom root zone, make sure root
hints on internal servers point to your root zone servers.
Dynamic DNS Use to allow clients to update DNS records.

Use to prevent unauthorized changes to dynamically-created DNS
records. When enabled, only domain members can register DNS records,
Secure updates
and only the same computer can modify those records. Secure updates
are available only on Active Directory-integrated zones.
Troubleshooting DNS
What are some of the troubleshooting tools available for DNS?

How does using Ipconfig /registerdns differ from restarting the Netlogon service?
How does Nslookup differ from Dnscmd?
Effectively use Ipconfig with all available switches.

Restart Netlogon to force re-registration of SRV records.
Use Nslookup to list various resource record types.
203. Monitor DNS. Tools might include System Monitor, Event Viewer,
Replication Monitor, and DNS debug logs.
502. Troubleshoot connectivity to the Internet.
DNS Troubleshooting Tools

You should know how to use the tools listed in this table:
Tool
Use
Nslookup
Use the Nslookup tool to perform DNS name resolution. Enter the name of
the host, and Nslookup performs DNS queries to report the host's IP address.
Dnscmd
Dnscmd displays the properties of DNS servers, zones, and resource records.
You can also use Dnscmd to modify these properties, create and delete zones
and resource records, and force replication.
Ping
Use Ping to determine if an IP address is accessible. If you can ping an IP

address, try to ping the logical name of the host. If the logical name test fails,
you should troubleshoot the name resolution system.
Network
Monitor
Use Network Monitor to analyze and monitor network traffic.
Ipconfig
You can use Ipconfig without switches to display the IP address, subnet
mask, and default gateway for all adapters. However, the following switches
are useful when troubleshooting DNS.
/Displaydns, to display the contents of the local DNS cache.
/Flushdns, to flush the local DNS cache.
DNSLint
/Registerdns, to force a client to register its DNS information.
The DNSLint utility helps you to isolate and diagnose DNS problems. You
must use one of the three following switches with DNSLint.
/d, to perform domain name tests
/ad, to perform AD tests
/ql, to perform DNS query tests from a list
To provide fault tolerance for DNS servers, use one of the following strategies:
Use Active Directory-integrated zones. If one DNS server goes down, zone data is
still stored in Active Directory. Be sure to analyze the replication scope to make
sure you have at least two servers holding the DNS data for each zone.
Create secondary zones. If the primary server goes down, you can change one of
the secondary zones to the primary zone.
Back up the DNS database. If you have only one DNS server, be sure to back up
the DNS database. For non-Active Directory-integrated zones, you can back up
the DNS files or copy them to another location. For Active Directory-integrated
zones, you must back up the system state data (because DNS is stored in Active
Directory).
Configuring Remote Access

What are the three steps in the remote access connection process?
How can you implement a dial-up solution?
How do remote access clients get an IP address for the remote access connection?
Configure a remote access server.

Configure addressing for remote access clients.
402. Manage remote access.

o Manage Routing and Remote Access routing interfaces.
Remote Access Addressing

When a client connects to a remote access server, both the client and the server
connection must have an address (such as an IP address) to identify it on the network. As
part of the remote access configuration, you need to decide how addresses are assigned to
remote clients.
Addressing
Method
Characteristics
DHCP-
Configure the remote access server and client to obtain an address from a
delivered
DHCP server. When the client requests a remote access connection for the
first time:
1. The server requests 10 addresses from the DHCP server.
2. The server uses one address for its own remote access port.
3. The server assigns other addresses in the range to incoming clients.
4. If needed, the server requests additional IP addresses in blocks of
10.
Automatic
assignment
Static IP
address
Configure a range of addresses on the remote access server for its clients.
One address is automatically assigned the remote access port on the server.
Clients are assigned an IP address from the address pool configured on the
server.
You can configure the client with a specific IP address that it uses when it
connects to the remote access server. Doing so requires two steps:
Configure the IP address for the dial-up connection on the client.
Configure the remote access policy to allow IP address requests.
Remote Access Facts

Keep in mind the following facts about configuring remote access.
The number of dial-up modem connections permitted depends on the number of

modems that are installed on the remote access server. If you have only one
modem installed on the server, you can only have one modem connection at a
time.
Before shutting a remote access server down, terminate all client idle sessions.
To enable clients to receive their addresses from a DHCP server, configure the
remote access server to use DHCP for addressing.
When you use PPP as the WAN protocol, you can use DHCP for addressing and
encryption.
To allow remote clients to access resources on both the remote access server and
the local network, enable both remote access and LAN routing. To restrict access
to only the remote access server, enable only remote access.
When you establish a LAN protocol, the client must be configured with all
protocols used by all devices on the private network with which it communicates.
To access resources on a remote network, users must be given the appropriate
permissions.
Remote Access Clients

What is the difference between authentication and authorization?
What authentication protocols are supported by Windows remote access clients

and servers?
When should each authentication protocol be used?
What authentication protocol is used with smart cards?
Create a remote access client connection.

Implement authentication protocols on the remove access client.
401. Configure Routing and Remote Access user authentication.

o Configure remote access authentication protocols.
Authentication Protocol Comparison

Authentication protocols ensure that remote users have the necessary credentials for
remote access. The following table compares the authentication protocols supported by a
Windows 2003 remote access server. Protocols are listed in order, from least secure to
most secure. As a rule, select the highest level of authentication supported by the clients.
Client
Support
Protocol
Characteristics
Password Authentication Protocol

(PAP)
Client sends a username and plain

text password for authentication.
2003/XP/2000
Password can be easily intercepted. NT 3.5/4.0
Use only when no other form of
95/98/ME
authentication is supported
Shiva Password Authentication

Protocol (SPAP)
Used to connect to a Shiva LAN

Rover.
Uses an encrypted password for
authentication.
Password encryption is easily
reversible
2003/XP/2000
NT 3.5/4.0
95/98/ME
Uses a three-way handshake

Challenge Handshake Authentication (challenge/response).
Protocol (CHAP)
Uses MD5 hashing of the shared
secret for authentication.
2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake

Authentication Protocol version 1
(MS-CHAP v1)
Similar to MS-CHAP v2, uses

2003/XP/2000
challenge/response for
NT 3.5/4.0
authentication.
95/98/ME
Server authenticates the client (client
cannot authenticate the server).
Encrypts the secret used for

authentication
Microsoft Challenge Handshake

Authentication Protocol version2
(MS-CHAP v2)
Highest level of authentication

possible without using EAP.
Uses a challenge/response
mechanism for authentication.
Allows both the client and the server
to authenticate each other.
Encrypts the secret used for
authentication.
2003/XP/2000
NT 4 (SP 4)
98 (SP 1)
95 (with the
latest updates
for a VPN
connection
only)
Extensible Authentication Protocol

(EAP)
Client and server negotiate the

characteristics of authentication.
Used for smart cards or biometric
authentication.
2003/XP/2000
For wireless clients, the most secure solution uses Protected EAP (PEAP) for an initial
authentication to the wireless access point. When using PEAP, select one of the following
two options:
PEAP-EAP-TLS. This authentication method uses certificates (either on the local

system or on a smart card) to complete the authentication process.
PEAP-MS-CHAP v2. This method uses certificates on the server, but simple
passwords on the client. Use this method when the client does not have a
certificate.
PEAP support is enabled as follows:
Windows XP SP1, included as a feature of the service pack.

Windows Server 2003.
Windows 2000, supported through a special download and install.
Remote Access Client Configuration

You should know the following facts about remote access client configuration:
The client must be running all networking protocols (such as IP or IPX) that are
used on destination computers.
Both the remote access client and the remote access server must use a common
WAN protocol (such as PPP).
If your client and server have multiple modems, you can configure both to use
multilink. With multilink, multiple physical connections are established to
increase the bandwidth of a single connection. When using multilink, enable
Bandwidth Allocation Protocol (BAP) to establish and drop links based on link
activity.
Callback is a form of security in which the server disconnects the user after
authentication then immediately calls the user back. The server can use a preset
phone number for each user, or the user can enter a callback phone number after
authentication. You cannot use multilink and callback together.
To configure remote clients for DNS, configure them with the IP address of the
DNS server on the private network. DNS requests will be automatically routed to
the DNS server.
Remote Access Policies

How are remote access policies applied to incoming connections?

Where are remote access policies stored?
What is the difference between conditions, permissions, and profile settings?
Configure remote access policies.

Use the remote access policy logic to implement remote access solutions.
Design remote access policies using conditions, permissions, and profile
information to only allow authorized individuals access to the network.

o Configure Routing and Remote Access policies to permit or deny access.
Remote Access Policy Facts

A remote access policy consists of the following components.
Component Description
Conditions
Remote access conditions identify which policies apply to incoming

connections. The remote access server checks the conditions included with a
policy. If all conditions match, the server processes the policy and user
account settings to determine what access to allow or deny.
Permissions determine whether remote access is granted or denied.

Permissions come from a combination of settings in the user account and the
remote access policy. There are only three possible permission settings:
Grant remote access
Permissions
Deny remote access
Control access through the remote access policy (only settable in the
user account)
Profile
A profile is the list of settings that are applied to the connection once access
is granted. Profile settings can reject or restrict remote access to connections
that:
Use a specific media type
Are initiated during specific days and times
Use specific authentication protocols
Use specific encryption protocols
You should be familiar with the RAPCAP process:
Remote access policies determine the level of access remote clients get to
resources.
Authorization for access to resources is determined by three steps:
1. Conditions
2. Permissions
3. Profile settings
Incoming connections are compared to the conditions found in a policy.
If the connection does not match the conditions in the first policy, the next policy
in order is checked.
You should put more specific (or restrictive) policies at the top of the list to make
sure they're not supplanted by more general policies.
When a match is found, that policy will be used for the connection (no other
policies will be checked).
If the connection does not match any conditions in any policy, the connection will
be refused.
After a matching policy is found, permissions are checked. If the permissions
deny the connection, no other policies are checked.
Permissions identified in the user account override permissions set in the policy
(unless Control access through Remote Access Policy is selected).
By default, the user account setting for remote access is set to Deny.
The Control access through Remote Access Policy setting is only available in
2000 native mode or Windows 2003 domain functional level.
If the permissions grant access, the policy profile is checked for additional
conditions.
If all profile conditions match, the connection is granted. If not, it is refused.
You can establish enough restrictions through the profile to prevent user access.
You should also know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The
remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny
access. The IAS server notifies the remote access server whether access is allowed
for the remote access client.
To configure a remote access server as a RADIUS client, configure the
authentication provider on the remote access server. Point to the IAS server and
configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server
as the authentication provider. You will need to supply the same shared secret as
was configured on the RADIUS client.
Using Internet Authentication Service (IAS)

How does IAS differ from a normal remote access server? Why use it?
How does IAS relate to RADIUS?
What are the three As handled by the IAS server?
When using IAS, where are remote access policies stored?
Configure a remote access server as a RADIUS client.

Configure the IAS server.
Configure shared private keys for RADIUS clients and servers.

o Configure Internet Authentication Service (IAS) to provide authentication
for Routing and Remote Access clients.
IAS Facts
If your network includes several remote access servers, you can control remote access
from a single location by installing a Remote Authentication Dial-In User Service
(RADIUS) server. Internet Authentication Service (IAS) is the service you install on a
Windows 2000 server to make it a RADIUS server.
You should know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The
remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny
access. The IAS server notifies the remote access server whether access is allowed
for the remote access client.
To configure a remote access server as a RADIUS client, configure the

authentication provider on the remote access server. Point to the IAS server and
configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server
as the authentication provider. You will need to supply the same shared secret as
was configured on the RADIUS client.
Troubleshooting Remote Access

What process does a remote access client use to establish a remote access
connection?
What troubleshooting steps should you take if a remote access connection fails?
How do the troubleshooting steps differ depending on when the connection fails?
Troubleshoot a remote access connection failure.

Troubleshoot resource access through a remote access connection.
405. Troubleshoot Routing and Remote Access routing.
Troubleshooting Remote Access

Most remote access problems are caused by misconfiguration. Problems are typically
manifested by an error message that describes the nature of the problem. Read the error
messages to identify likely causes, and then verify the applicable remote access
configuration parameters.
When you try to establish a remote access connection, the following four processes take
place:
1. Opening the port. The system initializes the modem or port used for remote
access.
2. Dialing. The system attempts to connect to the remote system.
3. Authenticating. After a physical connection with the remote system is made,
authentication protocols and credentials are verified.
4. Registering the computer. The computer is identified on the network and access is
granted.
If the connection fails in the first two stages (making the connection):
Verify the hardware and physical connection.
Verify the configuration of the remote access connection object.

Verify that there are free ports on the remote access server to answer the call.
If the connection fails during the last two stages (authenticating and registering the
computer):
Verify the username and password against a valid user account.

Check remote access policies.
Verify that authentication protocols match between the client and the server.
Verify remote access addressing.
If a connection can be made, but the client can only access resources on the remote
access server (and not on other servers connected to the remote network):
Verify that the client is using all necessary LAN protocols used by servers on the
remote network.
Verify that the remote access server is configured for both remote access and
LAN routing.
Routing
What is the purpose of routing?

What is a routing table?
What routes are automatically added to the routing table when routing is enabled?
Enable LAN routing on a server.

Add, modify, or delete routes in a static routing table.
403. Manage TCP/IP routing.

o Manage routing tables.
o Manage routing ports.
Default and Static Routes

You should know the following facts about routes:
Routes to directly connected networks are automatically created. If a router only

needs to communicate with directly-connected networks, no special routes are
needed.
Use the Route Print command to view the routing table.
Use the Route Add command to add routes from the command prompt. Use the
syntax:
Route add destination_address mask subnet_mask -p
For example, to add a route to network 192.168.1.0 with mask 255.255.255.0, use
the command:
Route add 192.168.1.0 mask 255.255.255.0 -p
The -p parameter makes the route permanent. It will be added each time the router
reboots.
A default-route is used when no other routes in the routing table are found. You
can also add a default-route entry to your routing table.
Keep in mind the following when creating special routes:
For a route to a subnet (network), enter the subnet address and mask.
For a route to a host, enter the host IP address and 255.255.255.255 for the mask.
For the default route, use 0.0.0.0 for the network and 0.0.0.0 for the mask.
Configuring Routing Protocols

What is the difference between static and dynamic routing?

Under what circumstances do you not need to configure static routes or a routing
protocol?
When should you choose static routes over a routing protocol?
How do RIP and OSPF differ? When should you choose each?
In the remote access console, what does it mean to add an interface to a routing
protocol?
Configure RIP routing.

Add interfaces to routing protocols.
403. Manage TCP/IP routing.

o Manage routing protocols.
o Manage routing tables.
o Manage routing ports.
Choosing a Routing Solution

The following table lists router solutions and their applications.
Solution
Uses
Default routing
entries
Use when the router has only directly-connected networks.
Static routes
Use for small networks (10 subnets or less) that do not change often.
Use to eliminate traffic due to routing updates.
RIP
Use for small networks (50 or less subnets) when a dynamic solution
is required.
OSPF
Use for larger networks (50 or more subnets) when a dynamic

solution is required.
Use when you want to minimize (or reduce) traffic due to routing
updates.
Windows 2003 supports RIP 1 and RIP 2. RIP has the following characteristics:
RIP uses hop and tick counts to calculate optimal routes.

RIP routing is limited to 15 hops to any location (16 hops indicates the network is
unreachable).
At startup, the router advertises itself and information about its directly-connected
networks and requests other routers to respond.
RIP broadcasts its entire routing table every 30 seconds.
A RIP broadcast has a limit of 25 network entries. If more networks are in the
routing table, additional broadcasts must be made.
At router shutdown, the router advertises that it is going down. Routers receiving
this notification remove all routes accessible through the downed router from their
tables.
Each route has a timeout value of 180 seconds. Each new broadcast containing
information for that route resets the timeout.
Failed routes are detected when the timeout is reached. After the timeout, the
route is removed.
RIP 2 supports multicasts, variable subnets, authentication, and next hop
addresses.
Demand Dial Routing Facts

The following process is used to establish a demand-dial link:
1. A host sends a message to a host on the remote network.
2. The source router identifies the remote network, and initiates a link by calling the
destination router.
3. The destination router answers the call, and verifies the user credentials and
permissions.
4. The destination router identifies the link as a demand-dial link by matching the
username with its port name.
5. Data is transferred to the destination host.
6. The link stays active until the preconfigured idle disconnect time. If no data has
been sent during that time, the link is dropped.
To configure and enable demand-dial routing, complete the following tasks:
1.
2.
3.
4.
Enable demand-dial routing on the server.

Enable the port for use by demand-dial.
Add the port as a demand-dial interface.
Create a user account on the local system or domain that corresponds to the local
demand-dial port. (You can use the Demand Dial Interface wizard to create this
account automatically.)
5. Set the credentials for the remote user account that corresponds to the remote
demand-dial interface.
6. Create static routes or configure auto-static updates to add routes to the remote
network.
Auto-static updates can be used to populate the routing table with remote routes over a
demand dial link. Keep in mind the following about auto-static updates.
A routing protocol is used initially to share routing information. However, the

information is sent only once. The routers do not exchange periodic broadcasts.
Because auto-static updates are not performed on a regular basis through the
routing protocol's default advertisements, you must either manually perform the
update or schedule updates as a scheduled task. When you schedule updates,
routing exchanges take place at much longer intervals than the routing protocol's
update interval.
You can configure auto-static updates for IP RIP, IPX RIP, and IPX SAP, but not
for OSPF.
Troubleshooting Demand Dial Routing

Use the information in the following table to troubleshoot demand dial routing problems:
Problem
Cause and Solution
Application and
time-out errors
Some errors happen with demand-dial routing because the link

between the routers is not yet established when data is first sent from a
host. The host assumes the link exists and begins sending data. In the
meantime, the router must call the remote system and establish the
link. The time delay can cause the router buffer to fill, or the delay may
lead the application to think the remote system is not responding. In
most cases, retrying the request succeeds.
Authentication
errors
Authentication errors are typically caused by incorrectly configuring

the username used by the demand-dial router to contact the remote
router. Verify that the username matches the remote port, and that a
user account with dial-up permission exists. Also verify the remote
access policies and remove any restrictions that incorrectly limit

access.
Only one-way
communication
If one host can connect to the remote router, but a host on the remote
network cannot connect back, verify that the username settings for both
routers match the remote port name. It is also possible for one router to
use an incorrect username, but still be granted a connection if there is a
user account with that name. However, the connection will be a remote
access connection, not a demand-dial connection.
Endpoint identifier errors occur when compatible addresses (such as IP

Endpoint identifier addresses on the same subnet) are not assigned to each communicating
errors
port. Check to make sure that a DHCP server is available, or that the
dial-up line is configured to assign addresses.
Lost auto-static
routes
If you have configured the server for auto-static routing updates, and
the routing table contains data but later is empty, check to make sure
that each router can establish a connection with the other. If a
connection cannot be made to send the updates, the table will not
contain any auto-static routes because they have been deleted. Correct
the problem by scheduling auto-static updates or updating routes
manually.
Network Address Translation

What is the purpose of NAT?

How does NAT accomplish its goal?
What is address and port mapping?
Describe the Network Address Translation process and its purpose.

Identify and use private IP address ranges.
Explain IP packet structure and how NAT affects IPSec.
NAT Facts
Network Address Translation (NAT) allows you to connect a private network to the
Internet without obtaining registered addresses for every host. Private addresses are
translated to the public address of the NAT router.
The NAT router maps port numbers to private IP addresses. Responses to Internet
requests include the port number appended by the NAT router. This allows the
NAT router to forward responses back to the correct private host.
NAT supports a limit of 5,000 concurrent connections.
NAT provides some security for the private network because it translates or hides
the private addresses. In addition, outside hosts cannot normally initiate contact
with private hosts (unless explicitly configured).
A NAT router can act as a limited-function DHCP server, assigning addresses to
private hosts.
A NAT router can forward DNS requests to the Internet.
NAT does not work with IP protocols that embed an IP address in the packet data.
For this reason, you cannot create a VPN on two sides of a NAT router. However,
special modifications do allow FTP to function with NAT.
DHCP Relay Agent

How can you provide DHCP services in a routed network?

Why would you implement DHCP relay?
What tool do you use to configure a DHCP relay agent?
What information does the DHCP relay need to function correctly?
Implement DHCP relay on a server.

o Manage DHCP Relay Agent.
o Verify that the DHCP Relay Agent is working correctly.
DHCP Relay Agent Facts

To properly configure the Relay Agent, you need to perform three tasks:
1. Add the Relay Agent via the remote access snap-in.
2. Configure the router's interface to relay DHCP packets.
3. Configure the Relay Agent with the main DHCP server's IP address.
Instead of configuring a relay agent, you can also enable BOOTP forwarding on the
router, or place a DHCP server on the local subnet.
Firewalls and Packet Filters
What is the purpose of a firewall?
What are the basic methods you can use to block network traffic through a router?
What are the three firewall solutions built in to Windows 2003 and how do they
differ?
What are the TCP/IP ports used by common traffic types?
Secure a network using TCP/IP filtering, ICF, and packet filtering.

Open or close common ports to control allowed traffic.
402. Manage remote access.

o Manage packet filters.
o Manage devices and ports.
Common Port Numbers

Port numbers identify a specific service running on a computer. As a best practice,
configure your firewall to allow only the ports for the services provided on your network
(and block all others). The following table lists port numbers for common services.
Port(s)
Service
20, 21
File Transfer Protocol (FTP)
23
Telnet
25
Simple Mail Transfer Protocol (SMTP)
50, 51
53
67, 68
IPSec
Domain Name Server (DNS)
Dynamic Host Configuration Protocol (DHCP)
69
Trivial File Transfer Protocol (TFTP)
80
HyperText Transfer Protocol (HTTP)
88, 749
Kerberos
110
Post Office Protocol (POP3)
119
Network News Transport Protocol (NNTP)
137-139
143
NetBIOS
Internet Message Access Protocol (IMAP4)
161, 162
Simple Network Management Protocol (SNMP)
389
Lightweight Directory Access Protocol (LDAP)
443
HTTP with Secure Sockets Layer (SSL)
500 (UDP), 1701 Layer Two Tunneling Protocol (L2TP)
1723
Point-to-point Tunneling Protocol (PPTP)
For example, to allow HTTP traffic (both normal and secure traffic), open ports 80 and
443.
Firewall and Proxy Facts
Keep in mind the following facts about firewalls and proxy servers.
A firewall prevents invalid communications from entering a network while

allowing valid communications to travel in and out.
TCP/IP Filtering is a form of a very basic firewall.
TCP/IP Filtering allows you to block ports that you specify.
TCP/IP Filtering requires you to enable the setting for all NICs or no NICs.
ICF blocks all externally generated communications. Communications generated
internally can pass through the firewall as well as external responses to those
communications.
You can allow external communications through the firewall by enabling the
appropriate ports.
Packet filtering is available in the RAS Console.
Packet filtering allows you to specify input and output filters for each NIC.
Packet filtering allows you to restrict access based on ports, protocols, or IP
addresses.
Packet filtering offers a higher degree of control over network traffic.
An ingress filter allows you to prevent malicious actions like address spoofing.
An ingress filter will inspect packet headers to verify them.
Proxy servers speed up Web caching and restrict access to the Internet.
Through caching, a proxy server can significantly increase bandwidth
performance.
A proxy server allows you to restrict Internet access through user and group
accounts.
Client browsers can either automatically detect the proxy server or access it
through a specific proxy IP address.
Virtual Private Networking

What is the purpose of a VPN connection?

What are the two tunneling protocols available for use with VPNs?
How do the two protocols differ?
Implement a client VPN connection.
Configure a VPN server.

Select and configure the appropriate tunneling protocol.
404. Implement secure access between private networks.

o Diagnose and resolve issues related to remote access VPNs.
VPN Protocols
If you are designing a VPN connection, you must identify the tunneling protocol used for
the connection. Windows 2003 supports the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP), supported by all 32-bit Microsoft

clients.
Layer Two Tunneling Protocol (L2TP), supported by Windows 2000/XP/2003
clients.
The tunneling protocol you choose will also effect the authentication and encryption
options available. The following table summarizes these choices.
Tunneling Protocol Authentication Protocol
Encryption Protocol OS Support
PPTP
EAP* or MS-CHAP (v1 or v2) MPPE
2000/XP/2003
NT 4.0
95/98/ME
L2TP
EAP or MS-CHAP (v1 or v2)

Kerberos v5**
IPSec
Certificates
2000/XP/2003
*EAP is supported only on Windows 2000/XP/2003.

**IPSec requires machine authentication (not user authentication) through either
Kerberos or certificates. Use EAP or MS-CHAP to enforce user authentication.
IP Security (IPSec)
What is the purpose of IPSec?

What are the three default IPSec policies and how do they interact?
What is the easiest way to deploy uniform IPSec policies to a group of
computers?
Implement IPSec between two computers.
Assign IPSec policies via Group Policy.

Use the IPSecmon admin tool to analyze IPSec traffic.
302. Monitor network protocol security. Tools might include the IP Security
Monitor Microsoft Management Console (MMC) snap-in and Kerberos support
tools.
303. Troubleshoot network protocol security. Tools might include the IP Security
Monitor MMC snap-in, Event Viewer, and Network Monitor.
IPSec Facts
IPSec is supported only on Windows 2000/XP/2003. How computers use IPSec to
communicate is controlled through IPSec policies. Windows comes with the following
three IPSec policies:
Policy
Characteristics
Client (Respond Only)
Can communicate normally (unsecured).

Contains a default response rule that lets it negotiate with
servers that request IPSec.
Requests security using Kerberos V5 protocol for all IP traffic.

Server (Request Security) Allows unsecured communication with clients that do not
respond to the request.
Secure Server (Require
Security)
Requires security using Kerberos V5 protocol for all IP traffic.

Does not allow unsecured communication with clients.
You should also know the following facts about IPSec:
IPSec is identified by displaying two protocols in the Network Monitor: AH

(Authentication Header) and ESP (Encapsulating Security Payload).
o AH is displayed in Network Monitor when IPSec is configured for mutual
authentication. AH digitally signs each packet to ensure data integrity. AH
does not encrypt data.
o ESP is displayed in Network Monitor when IPSec is configured to encrypt
frames. ESP encrypts the data portion of the IP packet.
Use the IP Security Monitor MMC snap-in to verify IPSec traffic.
To monitor IPSec negotiations, the audit logon events setting must be enabled.
The security log file should be set to at least 10 MB in size.
To view DNS names in IPSec Monitor, enable DNS name resolution.
Microsoft recommends that you stop the Routing and Remote Access service
before stopping the IPSec service.
o Use the Net stop remoteaccess command at the command line to
stop the remote access service.
Use the Net stop policyagent command at the command line to

stop the IPSec service.
An authentication failure occurs when the authentication methods don't match on
both machines that are trying to establish a security association.
A Bad SPI message can appear when the key lifetime is set too low.
The Audit Logging feature of Windows Server 2003 can be used to monitor IPSec
events.
o
Templates
What are the two purposes of security templates?

What are the basic features of each built-in template?
What is the easiest way to deploy uniform security settings to a group of
computers?
What tools can be used to deploy templates to a single computer?
Select the appropriate built-in security template for a given situation.

Use Group Policy to deploy custom or built-in templates.
Use the Security Configuration and Analysis tool or secedit.exe to apply a
template or compare a template against existing security on a single computer.
301. Implement secure network administration procedures.

o Implement security baseline settings and audit security settings by using
security templates.
Preconfigured Templates
Security templates are a collection of settings that configure settings to a predefined state.
Windows provides the following predefined security templates:
Template
Function
Created specifically for each computer during setup

Differs depending on whether installation was a clean installation or an
upgrade
Setup Security.inf Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf
Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf
Secures a system without causing application or compatibility issues

Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf
Specifies additional security settings beyond the Secure templates

Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf
Forces compatibility across Windows platforms

Should not be applied to domain controllers
Remember the following tips when applying templates:
Use the Setup Security.inf template to restore the system to its default state.
Apply additional templates to add security (just applying the more secure
template might not reset custom settings to their default state).
Use Group Policy to deploy and periodically enforce templates (the template will
be applied at normal group policy application times).
Don't use Group Policy to distribute the Setup Security.inf template because it is
very large and will consume a lot of bandwidth and take time as it is applied to the
computer.
You can customize a preconfigured template to meet your needs. After you
modify the template, save it with a new file name to preserve the preconfigured
settings.
Secedit.exe allows you to apply only the parts of a template that you need. (A
better solution is to customize the template and save it with a different name.)
Template Facts
Use the Security Analysis and Configuration snap-in to manage security templates,
analyze current settings, create custom templates, or import an existing template. When
working with templates:
Compare an existing system with a template to see how the system compares to
the template.
Clear current settings before importing a new template.
After applying a secure template, you might need to restore group memberships in
the Administrators or Power Users group.
You can also use the Secedit command to analyze and apply templates.
You should also know the following facts about security analysis:
The Microsoft Baseline Security Analyzer will tell you which patches have been
installed on a particular computer.
You should also need to verify that patches have not been manually applied.
Check the Windows Update log to see if a patch came from the Software Update
Server or from the Windows Update website.
Use the following key to decipher the meanings of icons when analyzing the system:
= The system does not match the template
= The system meets or exceeds the template
= The template does not define the value
Security Principles
What are the two basic goals of any security system?

What is the principle of least privilege?
What are some of the most important security considerations for computer
systems?
Use the Delegation of Control wizard to delegate necessary permissions to

perform administrative tasks.
Implement auditing and analyze security logs.

o Implement the principle of least privilege.
Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) is a tool you can use to scan the local
and remote computers for security compliance. The MBSA tool looks for the following
operating system vulnerabilities:
Installed and missing hotfixes

Guest account status
Administrator group membership
Weak passwords on user accounts
Non-expiring passwords
Restrict anonymous access settings
Auto logon
File system type used on each drive
Shares
Automatic update configuration
Internet Connection Firewall (ICF) configuration
Unnecessary services
Auditing
Program vulnerabilities for programs such as Internet Explorer, Media Player, IIS,
SQL, Exchange, and Office
MBSA does not come as part of the 2003 Server installation. You can download it from
Microsoft's Web site. You should know the following facts about MBSA:
The analyzer runs in both a GUI and command-prompt mode (run Mbsacli.exe to
run from the command line).
You can use MBSA to analyze up to 10,000 remote computers at a time. Results
of the analysis can be saved to a file for later review.
MBSA can analyze Windows NT/2000/XP/2003 computers.
You must have administrator privileges to scan a local or remote computer.
To scan a local computer, make sure the Workstation and Server services are
enabled.
The computer running MBSA to analyze remote computers must be running the
Workstation service and have Microsoft Networks turned on.
The computer that you are analyzing must be running the following services:
o Remote Registry
o Server
o File and Print sharing
To analyze only missing hotfixes and updates, run Mbsacli.exe /hf (this command
replaces the Hfnetchk.exe utility).
A similar utility Qfecheck.exe, scans Windows 95/2000/XP computers for missing
hotfixes. However, this utility can only analyze the local computer.
Security Principles Facts

Use the following guidelines when considering security:
Design securities strategies according to the rule of least privilege. This means
that you give users the fewest rights and privileges possible while still allowing
them to do their jobs. (It is easier to add permissions than it is to remove
permissions.)
Disable unnecessary services as well as file and print sharing when they're not
needed.
Implement a firewall and up-to-date anti-virus software.
Audit the system regularly.
Use security templates and Group Policy to apply security settings uniformly
across the network.
Use IPsec and SSL to secure network communications.
Use SUS to control the updates deployed across the network.
Use Hfnetchk to scan computers for hot fix levels.
Use Mbsacli to scan remote computers for security and configuration issues.
Services
What is a service?
What is service startup behavior and why might you modify this?
What are the three user accounts that various XP/2003 services run under?
What is a service dependency?
Start, stop, and restart services. Modify the service startup behavior.
Configure service failure recovery options.
Identify service dependencies.
Change a services user account if necessary.
503. Troubleshoot server services.

o Diagnose and resolve issues related to service dependency.
o Use service recovery options to diagnose and resolve service-related
issues.
Services Facts
You should know the following facts about services:
Services are programs that run continuously in the background.

The three service startup behaviors are:
o Automatic
o Manual
o Disabled
You can control service behaviors (including startup behaviors) through Group
Policy.
Services run under the security privileges of a user account. There are three types
of built-in accounts (you can also use custom accounts to run services):
o The Local System account provides full access to the system.
o The Local Service account provides access to particular services.
o The Network Service account provides access to services on the network.
Because services run using a user account, make sure the password is configured
correctly, the user account is not locked, and the user account is enabled.
Take care not to disable a service upon which other services depend.
You can view dependent services through the services console or by executing the
SC.exe command.
Use Msconfig.exe to troubleshoot services.
Software Update Services

What is the purpose of Software Update Services (SUS)?

What are the two basic steps to set up SUS after it is installed?
What does a client need to use SUS?
Install and configure SUS.

Synchronize and approve updates for SUS clients.
Implement Group Policy to point clients to the SUS server.
Install the Automatic Updates Client on clients if necessary.
SUS Facts
Software Update Services (SUS) allows you to configure the distribution of operating
system patches for clients, including ones related to security. You can deploy SUS in the
following ways:
The SUS server approves the updates. Clients contact the SUS server for update
approvals then retrieve the updates from the Windows Update server. This
requires a great deal of bandwidth.
The SUS server approves and synchronizes the updates. SUS stores the updates
locally for clients to retrieve. Reduces bandwidth demands since only the SUS
server contacts the Windows Update server.
The SUS servers in various locations would be responsible approving and
synchronizing updates and then contacting the Windows Update server.
Use a "master" SUS server to approve and synchronize updates from the
Windows Update server. The child SUS servers synchronize updates from the
master. If WAN bandwidth between the master and child servers is poor, you may
decide against this structure.
In most enterprise implementations, client computers contact local SUS servers to get a
list of approved updates and download those updates. In this configuration, SUS client
computers must be configured to receive updates from the local SUS server instead of the
Windows Update Web site. The easiest way to configure client settings is to use Group
Policy to distribute the server name and other update parameters. The following table lists
the Automatic Update policies:
Policy
Description
There are three options for configuring the behavior of the Automatic
Updates client:
Notify for Download And Notify For Install
Configure
Auto Download And Notify For Install
Automatic Updates
Reschedule
Automatic Updates
Scheduled
Installations
Auto Download And Schedule The Install
If a client machine is turned off during a scheduled installation, by

default the installation occurs at the next scheduled time. However,
this policy allows you to set the installation to occur between 1 and
60 minutes after the system starts up.
No Auto-Restart
This policy allows Automatic Updates to disregard a required restart
For Scheduled
when a user is logged on. The user receives a notification about the
Automatic Updates
required restart but is not required to restart the machine.
and Installations
Specify Intranet
Microsoft Update
Service Location
This policy allows you to redirect clients from the Microsoft

Windows Update server to a SUS server on your network. You can
also set logging to occur on any server on the network running IIS.
IIS logs are found in %Windir%\System32\Logfiles\W3svc1.

70 291

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

70 291

Caricato da

Copyright:

Formati disponibili

70-291

When might you need to analyze and monitor network traffic?

Configure, capture, and display filters using Netmon.

This section covers the following exam objectives:

Network Monitor and System Monitor

Captures packets (or packet

Monitors system statistics,

View contents of sent and received View graphs of system performance

Configure triggers to stop capture Configure alerts to log an entry,

or execute a command based on a send a message, or run a program

Configure filters to capture only Select objects and counters to

You should know the following facts about Network Monitor:

What is the purpose of an IP address?

Configure basic TCP/IP settings on a client.

This section covers the following exam objectives:

101. Configure TCP/IP addressing on a server computer.

TCP/IP Configuration Settings

Identifies both the logical host and logical network addresses.

Identifies which portion of the IP address is the network address.

Identifies the logical name of the local system.

Identifies the DNS server that is used to resolve host names to IP

Identifies the WINS server that is used to resolve host names to IP

Identifies the physical address. On an Ethernet network, this address is

Keep in mind the following regarding TCP/IP configuration:

All computers must be assigned a unique IP address.

What are the four ways to assign an IP address?

Configure a client to use DHCP.

This section covers the following exam objectives:

101. Configure TCP/IP addressing on a server computer.

Choosing the Addressing Method

Small number of hosts.

Small, medium, or large networks.

A single computer connects to two networks, one without a DHCP

You should know the following facts about IP address assignments:

128.0.0.0 to 191.255.255.255 255.255.0.0

192.0.0.0 to 223.255.255.255 255.255.255.0

224.0.0.0 to 239.255.255.255 (multicast addresses)

240.0.0.0 to 255.255.255.255 (experimental addresses)

Keep in mind the following facts about IP addresses:

What TCP/IP tools can you use for troubleshooting?

This section covers the following exam objectives:

102. Troubleshoot TCP/IP addressing.

Install DHCP and create a simple scope.

This section covers the following exam objectives:

101. Configure TCP/IP addressing on a server computer.

Authorization is required if you are using Active Directory; no authorization is

What are the two ways to exclude IP addresses from a scope?

Create and activate scopes.

This section covers the following exam objectives:

101. Configure TCP/IP addressing on a server computer.

Configuring DHCP Options

What is a DHCP option?

Configure server, scope, and user/vendor class options.

This section covers the following exam objectives:

101. Configure TCP/IP addressing on a server computer.

DHCP Option Facts

Managing the DHCP Server

How can you back up DHCP?

Backup and Restore DHCP.

This section covers the following exam objectives:

103. Troubleshoot DHCP.

DHCP Server Backup and Recovery