Microsoft exam 70-291
Microsoft exam 70-291 preparation guide
Part 1: Understanding Windows networks and TCP/IP
Part 2: Troubleshooting and monitoring TCP/IP
Part 3: Implementing, configuring and troubleshooting DNS servers
Part 4: Implementing, configuring and troubleshooting DHCP servers
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks
Part 6: Managing network infrastructure and security
I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-291 exam titled: “Implementing, managing and maintaining a Microsoft Windows Server 2003 network infrastructure”. I provide this guide as is, without any guarantees, explicit or implied, as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about them Tom Kitta. Legal stuff aside, let us start.
Guide version 0.006 last updated on 17/06/2004
Part 1: Understanding Windows networks and TCP/IP
[1.1] Basic networking definitions
- Network infrastructure – set of physical and logical components that allow for, among other futures, security, management and connectivity
- Physical infrastructure – is also known as network’s topology, the physical layout of hardware components and the type of hardware as well as the technology used with hardware for data transmission.
- Logical infrastructure – is the software that allows for communication over physical infrastructure, it includes services that run on the network like DNS
- Network connection – is a logical interface between software and hardware layers
- Network protocol – is the language used for communication between networked computers
- Network service – is a program that provides features to hosts or protocols on the network
- Network client – is a program that allows a computer to connect to a network operating system
- Addressing – is the practice of maintaining a coherent system of addresses within organization’s network that allow all computer to communicate
- Name resolution – is the process of translating a computer name into an address and the other way around
- Workgroup – is a simple grouping of resources which by default uses NetBIOS naming system. NetBIOS is used together with Common Internet File System (CIFS), an extension of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized security in a workgroup environment. The default workgroup name is WORKGROUP. In the absence of a WINS server the NetBIOS names are resolved using broadcasts to local network segment.
- Domain – is a collection of computers that share a common directory, security policies and relationships with other domains. The name ‘domain’ is used both by grouping of computers in AD and as names in DNS, they are different things.
- Active directory – is a distributed database that provides directory service
- Remote access – is a connection that is configured for users that want to access resources from non-local site. There are two types, VPN and dial-up.
- Network Address Translation (NAT) – is the system which allows computers with private addresses to communicate with computers on the internet
- NWLink – Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks
- Certificate – is used for public key cryptography
- NetBT – NetBIOS over TCP/IP, provides for higher level communications such as SMB (Server Message Blocks) and CIFS
- CIFS – an extension of the SMB protocol that is used with basic file sharing. One of the advantages of CIFS over SMB is the ability to operate directly over DNS without the use of NetBIOS.
- TCP/IP – most popular, scalable, routable and based on open standards protocol.
- Redirector – client component that decides whatever the request is to be serviced locally or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses SMB/CIFS for communication.
[1.2] Network connection
- Components that make up a connection: network clients, services and protocols
- Connections by themselves don’t provide communication, it occurs through components bound to the connection
- Client for Microsoft Networks is by default bound to all local area connections, it allows client computers to perform CIFS related tasks
- TCP/IP protocol is bound to all connections by default
- File and printer sharing for Microsoft Windows is installed and bound to all connections by default
- Advanced connection settings allow administrator to change the priority of each connection
- Provider order tab in advanced settings dialog box allows administrator to change the network providers order. This setting is for all connections. By default, Microsoft Terminal Services is given priority over the Microsoft Network because Terminal Services are meant to be used in place of all other connections.
- In the provider tab one also finds print provider order, by default LanMan Print Services is given priority over HTTP Print Services
[1.3] Default TCP/IP Settings, APIPA
- APIPA stands for automatic private IP addressing
- By default the IP address and DNS servers are to be obtained automatically from the DHCP server
- If the computer cannot get address automatically it uses APIPA to assign itself one
- APIPA assigns PC address from the range 169.254.0.1 to 169.254.255.254, in use since Windows 98
- Administrators can combine APIPA with alternate configuration, when IP can be obtained from DHCP, APIPA turns itself off – no one can override DHCP obtained address with APIPA
- To disable APIPA administrator can either configure alternative IP address or edit registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot
- An all zero address might indicate that the IP has been released and never renewed
- When a computer fails to obtain APIPA address in the absence of DHCP server and static address, the administrator should look for a hardware problem
[1.4] Management and monitoring tools
- Connection Manager – allows creation of customized remote access connections
- Connection Point Services – Phone Book Service that needs IIS
- Network Monitor – pocket analyzer
- SNMP – Simple network management protocol, agents that monitor activity in network devices and report to network management console. For use with both Windows and UNIX, works with almost any network device.
- WMI SNMP Provider – lets client applications to access static and dynamic SNMP information through WMI
[1.5] TCP/IP model
- The TCP/IP model is the newer networking model, OSI Open System Interconnection model is an older model
- Network interface – is the layer in the communications process that describes standards for physical media, for example ethernet. In OSI model it is both Physical layer and Data link layer.
- Internet – is the layer in the communications process during which information is packaged, addressed and routed to other network destinations. ARP is used for address resolution, IP for addressing and routing data and ICMP for reporting errors and exchanging limited control/status information. In OSI model this layer is called the Network layer.
- Transport – is the layer in the communications process during which the standards of data transport are determined. TCP protocol with its guarantees of delivery and connectionless unguaranteed but fast UDP protocol. This layer has the same name in the OSI model.
- Application – is the layer in the communications process during which end user data is changed, packaged and sent to and from transport layer, for example telenet. In OSI we have three layers, Session, Presentation and Application.
[1.6] OSI model
- OSI stands for Open System Interconnection model, it is an older networking model
- 7 Application layer
- 6 Presentation layer
- 5 Session layer
- 4 Transport layer
- 3 Network layer
- 2 Data link layer
- 1 Physical layer
- Layers 7, 6, and 5 correspond to Application layer in TCP/IP model
- Layer 4 correspond to Transport layer in TCP/IP model
- Layer 3 corresponds to Internet layer in TCP/IP model
- Layer 2 and 1 correspond to Network Interface layer in TCP/IP model
- Protocols that were not originally part of the TCP/IP specifications are referred not by position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5) protocol.
[1.7] Protocols, their port numbers and layers in TCP/IP model they are in
- Protocol number – is used to define a stream of data associated with a specific service
- The transport is provided by TCP and UDP protocols
- Internet layer protocols are ARP, IP and ICMP
- HTTP – hypertext transfer protocol TCP port 80 (application layer)
- SSL – Secure socket layers TCP port 443
- SMTP – TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot
- SNMP – simple network management protocol used to provide information about TCP/IP hosts, UDP port 161.
- FTP – only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Files stored in LocalDrive:\Inetpub\Ftproot (application layer)
- POP – TCP port 110
- DNS – UDP port 53 (query) TCP port 53 (zone transfer)
- NNTP – TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root
- PPTP – Point to point tunneling protocol TCP port 1723; protocol number 47
- L2TP/IPSec – UDP ports 500, 1701 and 4500; protocol number 50
- ARP, ICMP and IP (internet layer)
[1.8] IP addressing
- Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IP address space
- IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP
- Private addresses are in ranges 10.0.0.0 – 10.255.255.254, 172.16.0.0 – 172.31.255.254, 192.168.0.0 – 192.168.255.254
- IP addresses are just a representation of a 32 bit number broken into 8 bit parts for ease of visualization by the administrator
- IP address is made up of two parts, network address and host address. Network prefix is the number of bits in network id.
- IP class assignments
- Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0
- Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0
- Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0
- Class D 224-239.x.x.x, reserved for multicast addressing
- Class E 240-254.x.x.x, reserved for experimental use
- Subnet mask is used to determine whatever the packet is destined for the current network or not. It does that by masking the network part of the IP address. The PC proceeds by finding his own network address using his IP and subnet mask in a bitwise AND operation. Then the PC does a bitwise AND operation on the destination IP and his subnet mask to determine foreign network address. If the addresses match then the packet is to travel on the local network, if the don’t then the packet is destined to a foreign address.
- CIDR – this is a shorthand notation for a subnet mask, classless interdomain routing notation. It counts the number of 1’s in the subnet masks binary representation and is displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is 255.255.255.0 since we have 24 1’s in the subnet mask. It is not compatible with RIP v.1. It is the name administrators commonly refer to when talking about supernetting since CIDR is used to shorten routing tables.
- Default gateway is the IP address of a routing device that accepts packets destined to other networks. Other networks are subnets that are not within the broadcast range of the PC that contacts default gateway (itself it is within broadcast range).
- Follow these simple steps to spot an IP address that is invalid:
- Host without a subnet mask
- No unique network ID (per WAN) or no unique host name per LAN
- Neither network ID nor host ID can be all 1 (since that is the broadcast address)
[1.9] Subnetting and supernetting IP networks
- Subnetting – occurs when one needs to divide default A,B or C class address space into smaller spaces. The logical division is accomplished by extending the string of 1’s in the subnet mask.
- Subnetting is used for: accommodating security needs, physical topology, limitation of broadcasting
- Number of hosts on a subnet = 2^(32-subnets # of 1’s)-2. We subtract 2 since one address is needed for network ID and one for network broadcast
- Host ID with all 0’s is the network ID and host ID with all 1’s is broadcast address
- Supernetting – occurs when one wants to combine default A, B or C class address spaces into one large space. This method allows for more efficient allocation of network address space.
- In supernetting’s major difference from subnetting is the removal of 1’s from the network address. Thus one might have /23 /22 /21 /20 supernet masks.
- Conversion from binary to decimal and back is based on the power each system uses, 2 for binary 10 for decimal and so on. The position of a digit in a number, starting from zero, determines to which power the base is raised. The value of the digit is the number by which the base to the power is multiplied by. Sum all the digits to get the number in decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To minimize errors it is best to use a calculator.
- Variable length subnet masks (VLSMs) – allow for subnets to be subnetted themselves making the use in large organizations of network address space more efficient. They allow administrators to create subnets of varying sizes.
- Classless Inter-Domain Routing (CIDR – defined in RFC 1519) using variable length subnet masks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow for the accelerating expansion of the Internet.
- VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with old routing protocols like RIP 1
[1.10] Other points
- Administrator can install on a computer file and print services for Macintosh but only print services for Unix
- TCP/IP is installed by default by Windows setup
- The following are installed as part of simple TCP/IP services: Character Generator, Daytime, Discard, Echo, Quote of the day
- The MAC address cache on a computer can be cleared manually (it refreshes itself every 2 minutes) by issuing arp -d command
- Most computers on the network use DHCP for addressing as it produces less human error than static addressing. Static addressing is used by servers.
Part 2: Troubleshooting and monitoring TCP/IP
[2.1] Analyzing traffic using network monitor
- Frame is an encapsulation of network interface layer (layer 2) data. Each frame contains source and destination computer addresses, header of the protocol used to send data and data itself.
- Packet is an encapsulation of internet layer (layer 3) data
- There are two versions of Network Monitor, the basic version ships with Windows Server 2003. Network administrator needs to purchase the advanced version from Microsoft. Advanced version can capture data from all devices on a network provided the administrator used hubs not more common switches.
- Network Monitor is made up of two components, administrative tool called Network Monitor and an agent called Network Monitor Driver
- Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in the same manner as one installs a new protocol
- The monitor can be used to find NIC’s MAC address, computers GUID and many other useful information
- Parsing is the process of reading, analyzing and describing the contents of frames. Administrator can add new parsers to network monitor by adding parser dll files into %systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in %systemroot%\system32\Netmon folder. By default network monitor supports over 90 protocols.
[2.2] Problems with TCP/IP connections
- Network diagnostics is a graphical tool that administrator can access from help and support tools menu. Users can save output to a file for examination by network administrator.
- Netdiag is a command line tool that is used to run different network tests. Administrator needs to install the tool first from the Windows CD, the support tools file is called suptools.msi.
- Tracert – shows the path a packet takes to reach given destination, this is done by setting different TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells administrator when connectivity stops.
- Pathping – as tracert but shows the path that a packet takes to reach a given destination, however it also shows detailed analysis of traffic. Used to troubleshoot erratic network behaviour such as packets being delayed, where tracert is used for network connectivity.
- Arp – used to show the Arp cache on the PC. Sometimes local network computers can have wrong MAC addresses of each other cached and thus cannot communicate, use arp to check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is used to check hardware address mappings, if it checks out look for hardware problem
- If the administrator is able to ping loopback address, PC own address and the local gateway but no other PCs the problem is most likely with arp cache being corrupted.
- Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remote host by name.
Part 3: Implementing, configuring and troubleshooting DNS servers
[3.1] Differences between DNS and NetBIOS
- NetBIOS (Network Basic Input Output System) is not a naming system, it is an API that provides naming and name resolution services
- DNS is the preferred name resolution system in Windows, but it needs configuration unlike NetBIOS
- NetBIOS is used for browsing Microsoft Windows Network through My Network Places and connecting to shares using UNC paths (File and Print for Microsoft Networks)
- NetBIOS name space is flat, while DNS is hierarchical
- NetBIOS name – used to identify a NetBIOS service that is listening on the first IP that is bound to the adapter
- Maximum computer name length in NetBIOS is 15 bytes (characters) while in DNS host name can be up to 63 bytes and FQDN up to 255. When the computer name is longer than 15 characters then the NetBIOS name is the computer name’s first 15 characters.
- To view NetBIOS PC name go to system properties, network identification, properties and more button
- Host name – the first label of a FQDN, it is just about any network interface with an IP bound to it
- Primary DNS suffix – also known as primary domain name or the domain name, specified on the computer name tab
- FQDN – DNS name that uniquely identifies the computer on the network. It is concatenation of the host name, primary DNS suffix and a period. The full computer name is a type of FQDN, the same computer can be identified by more than one FQDN but only the FQDN that concatenates the host name and primary DNS suffix represents the full computer name.
- NetBIOS resolves names through WINS server, Local NetBIOS cache, NetBIOS broadcast, LMHOSTS file
- DNS resolves names through DNS server or Hosts file (which is part of client cache). Entries added to the hosts file are immediately loaded into resolver cache.
- Both LMhosts and hosts files are located in %systemroot%\system32\drivers\etc folder
- Nbtstat is used to interact with NetBIOS from command line, -c switch lists local cache contents, -R purges the cache, view cache, use nbstat -n
- DNS is required for Windows 2000/2003 domains (AD) and internet
- NetBIOS is needed by older Windows operating systems, workgroups in Windows 95/98/Me/NT
- NetBIOS is enabled by default for all local area connections, administrator can disable NetBIOS to increase security from TCP/IP properties screen, but users will no longer be able to use computer browser service
- Windows Server 2003 client computer always tries to resolve names using DNS before NetBIOS
[3.2] DNS as part of Windows Network
- DNS is a hierarchical system based on a tree structure called DNS namespace
- Each DNS namespace has to have a root that can have unlimited number of subdomains. The root is an empty string
- Every node in the DNS namespace has a specific address by which it can be identified, called a FQDN
- The dot is the standard separator between domain lables. The dot also separates the root from the subdomains, but is usually omitted by end-user and automatically added by DNS client service during a query.
- On the internet the DNS root and top-level domains are under control of Internet Corporation for Assigned Names and Numbers (ICANN)
- There are three types of internet top-level domains, organizational, geographical and reverse (in-addr.arpa)
- DNS server can be authorized for one or more zones which contain one or more domains. Server is said to be authorized for a zone if it hosts the zone as primary or secondary server.
- When client or DNS service are stopped, their caches are cleared
- DNS client is installed by default, server component is not
- A forwarder is a DNS server that is used to resolve queries external to the server using it
- A conditional forwarder is a DNS server that examines the domain name of the query and forwards it (the query) to specific server based on name asked in the query. All forwarder options are set from the forwarders tab on the DNS server properties dialog box.
[3.3] DNS components
- DNS zone is a portion of a DNS namespace for which DNS server is authorative. A server can be authorative for one or more zones and each zone can contain one or more domains. Zone files store resource records, they are usually text files but on Windows 2000/2003 administrators have an option of active directory integrated zones.
- DNS resolver is a service that uses DNS protocol to query for information from DNS servers. On Windows 2003 this is done by DNS Client Service
- The third component is the DNS server itself. Above breakdown hold for any DNS implementation.
[3.4] DNS server query process
- Each query message contains the following information:
- DNS domain name as FQDN
- Query type, resource record by type or specialized type of query operation
- Specified class for the DNS domain name
- When user wants to resolve an address the first place DNS client service looks in is user’s computer local cache and hosts file
- If local resources don’t resolve the name, DNS client uses server search list to query preferred DNS server, if it is unavailable alternate DNS servers are used according to their positioning on the server preference list
- The DNS server after receiving a query first checks to see whatever it is authorative for the domain in question, if it is not, it checks local cache for already performed queries. If that doesn’t resolve as well, a recursive query is performed.
- For recursive queries DNS server needs to be configured with Root Hints, which by default are stored in file cache.dns in %systemroot%\system32\dns folder
- Server asks the appropriate root server for an address of more knowledgeable server, then it asks that server etc. till it gets the answer. It is like walking the namespace tree.
- The most common responses to the client are: An authorative answer, a positive answer, referral answer and negative answer.
- If recursion is disabled on the server it will send a referral answer back to the client. The client will need to perform iteration (repeated query to different DNS servers – DNS tree walk) to get the answer it seeks.
- After a query client gets a positive answer it is frequently authorative the first time around, while consecutive answers are non-authorative. This is due to DNS server caching of the original query.
- Reverse query – is performed by taking an ip address in the form a.b.c.d and presenting query to the DNS server in the form d.c.b.a.in-addr.arpa. ARPA stands for Advanced Research Projects Agency. Due to luck of vision the first DNS implementation didn’t support reverse queries, PTR records are just pointers to A records.
[3.5] DNS client query process timeout
- DNS client sends a query to preferred DNS server and waits for 1 second for response
- If no response is received the client sends a query to the first server on all adapters and waits for 2 seconds
- If there is still no response, client sends a query to all DNS servers on all adapters and waits for 2 seconds
- If no response continues client sends query to all servers again and waits for 4 seconds, then again and waits for 8 seconds
- If after performing all of above steps client didn’t get any response, it returns time out to the calling process
[3.6] Configuring DNS server
- Network administrator can create two types of zones, forward or reverse lookup. In forward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. In reverse lookup zone the IP address is mapped to FQDN
- There are three types of DNS server roles with respect to a zone (i.e. we look at the zone and if our server is primary for that zone we say we have DNS server in primary role, however the same server can be secondary for a different zone (call it B) as well, in which case it is said to be in secondary role for zone B):
- Primary – provides original data, can be updated
- Secondary – provides a copy of original data, cannot be updated
- Stub – copy of a zone containing only those resources records necessary to identify the authorative DNS server for the master zone, enables parent zone to keep updated list of name servers in the child zone
- Caching only – no zones at all stored on the server
- When administrator wants to decrease the amount of name resolution traffic while avoiding zone transfer traffic install caching only server
- When DNS server is installed it is automatically configured to act as a caching only server
- When a zone is created it automatically has in it SOA and NS records
- To view the contents of the DNS server cache administrator needs to select ‘Advanced’ from view menu
- In the resource record file lines that are blank or start with ; (semi-colon) are ignored by the DNS server
- Master server is the server from which secondary server got zone information (can be a primary server or another secondary server)
- When DNS server zone data is stored in AD (AD integrated) all DNS servers become peers
- In non-Microsoft implementations of DNS server the secondary zone is also known as the slave zone, while the primary zone is also known as the master zone
[3.7] Resource records
- Resource records have the following syntax: Owner TTL Class Type RDATA
- Owner – the name of the host or the DNS domain to which this resource record belongs
- Time to live (TTL) – A 32 bit integer representation of the time the record should be cached
- Class – protocol family in use, optional field, IN (internet class) for Windows based DNS service
- Type – for example A or TXT
- RDATA – this is where actual resource record data is stored
[3.8] Basic resource record types
- Host (A) – most common record type, used to associate computers to IP addresses. Administrator can add them manually, they can be added by DHCP Client service, updated by proxy for older Windows OS and DHCP on Windows Server 2003.
- Alias (CNAME) – also known as canonical names. These records allow computers to use an alternative name to point to a host. They are quite often abused. They are recommended for use when a generic service such as ftp needs to resolve to a group of computers or when renaming a host.
- MX – these are mail exchange records and they point to a mail servers for a given domain, more than one are used for fault tolerance (if the company can afford extra hardware and software needed)
- PTR – pointer records are used to perform reverse lookup. Reverse lookups are performed in the zones with root in-addr.arpa. Same methods of creation as an A record – they are opposite of each other.
- SRV – service locator records are used to specify location of services in a domain. Windows Server 2003 AD uses SRV records, all the records needed by AD can be found in Netlogon.dns in %systemroot\System32\Config folder, if the records need fixing use netdiag /fix.
- NS – name server record is used to indicate which DNS server(s) are designated as authoritative for the zone. Any server specified in the NS record is considered an authoritative source by other servers for given zone. It is able to answer with certainty any queries made for names included in the zone.
- SOA – start of authority indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. It also indicates other basic properties of the zone like the primary DNS server, responsible person, serial number, refresh interval, retry interval, expire interval and TTL. SOA record is always the first record in any standard zone.
[3.9] Configuring client computers for use of DNS
- In order to configure DNS on a client system an administrator needs to do three things:
- Administrator needs to set host name for each computer that is going to use DNS, it can have up to 63 bytes (for NetBIOS compatibility up to 15 bytes (characters)) and can only contain letters numbers and ‘-‘, it is not case sensitive
- Administrator also needs to set primary DNS suffix for each computer, the suffix together with the host name forms a FQDN, it is selected from the system properties -> computer name -> change button -> More, by default it is the same as the AD name in which the PC resides
- Finally, administrator need to write a list of DNS servers that the clint is to use in order, starting with preferred DNS server
- Administrator may configure connection specific DNS suffix for each adapter on the DNS client PC, this is done from Advanced TCP/IP settings dialog box, it gives to different FQDN to the same computer so it can communicate on different subnet in addition to its full DNS computer name. For each FQDN and for computer name an A and PTR records are created in appropriate zones and DNS servers.
- If network administrator configures DNS suffix search list then the computer will be able to resolve single-label unqualified names and multiple label unqualified names. By default, the search is performed using primary domain suffix and, if applicable, connection specific suffixes.
- The ipconfig /displaydns command shows DNS cache on client, ipconfig /flushdns clears DNS cache
- When a query is submitted with an unqualified name the client service by default adds to it the primary DNS suffix and checks the query. If that doesn’t work the client adds connection specific DNS suffixes and retries. If there is still no positive response, client adds the parent suffix of the primary DNS suffix to the name and does the final check.
- If the administrator is only able to ping the user computer by IP (from another PC), he can try to use ipconfig /registerdns on Windows XP/2000/2003
[3.10] Updating of client records in the DNS
- Windows server 2000/2003 and BIND 8.1.2 or later can accept dynamic updates of A and PTR records performed by clients or on behalf of clients by DHCP server.
- By default, clients with static IP address attempt to update both A and PTR records for all IPs. Registration is based on domain membership settings.
- Windows 2000/XP/2003 computers with dynamic address (assigned by DHCP) attempt only to update their A records (PTR left for DHCP server to update if needed). The client contacts the server every 24h to update the mapping unless one of the following occurs:
- Computer name changes
- Member computer is promoted to the role of DC
- One of the commands listed is used: ipconfig /release, ipconfig /renew, ipconfig /registerdns
- When the local IP address changes, including IP address lease from the DHCP server
- Computers with operating system earlier than Windows 2000 (i.e. 95/98/Me) that use dynamic address have the DHCP server do all the work (both A and PTR records due to client unaware of dynamic update functionality). User can force registration by client using ipconfig /registerdns
[3.11] DNS server properties
- Interfaces – which IP addresses should server computer listen for requests, by default all IP addresses
- Forwarders – allows for setting up upstream DNS servers that current DNS server will forward queries to. The process of forwarding selected queries is called conditional forwarding. This tab allows the administrator to disable recursion (on per domain basis) on queries that have been sent to forwarder (by default if forwarder fails to resolve local server tries to resolve using recursion). When DNS server A has forwarder server B set and server A has disabled recursion then server A is called a slave server since it is totally dependant on server B (forwarder) for queries it cannot resolve locally. The default timeout for forwarded query is 5 seconds.
- Advanced tab – allows enabling and disabling of special futures. If administrator disables recursion then it is disabled for all queries and forwarders are disabled as well.
- Root hints – this tab contains copy of information found in %systemroot%\system32\dns\cache.dns file. The list of root servers rarely changes, network administrators can get the latest file one from ftp://rs.internic.net/domain/named.cache. Administrator should delete this file if the DNS server is a root server, in which case this screen is disabled.
- Debug logging – allows network administrator to troubleshoot his DNS server by logging selected incoming and outgoing pockets. Debug logging in processor and resource intensive operation.
- Event logging – allows network administrator to restrict the events written to the DNS event log
- Monitoring – basic functionality tests (2) are performed here. The first test is reverse query targeted at self, the second test does reverse query targeted at root DNS server. Administrators are allowed to schedule these tests to be performed between certain time intervals.
- Security – this tab is available only if the DNS server is also a domain controller and allows one to set the settings for the users that are given permission to view edit and set DNS zones data.
[3.12] Configuring Zone properties
- General tab – used to configure zone type, zone file name, dynamic updates and aging. Administrators can pause name resolution for a zone. AD integrated zones have replication settings enabled, administrator can select to which servers DNS replication data is being sent. There are three dynamic update settings for AD integrated zones, none, non-secure and secure. Aging is the process of placing a time stamp on a dynamically registered resource record and then tracking record age. Scavenging is the process of deleting outdated records. When aging and scavenging are enabled then the zone files are not compatible with Windows DNS servers that are not at least Windows 2000.
- Start of authority (SOA) tab – administrator can set a serial number which acts as a revision number, this is used to synchronize zone transfers. Primary server box contains the full name of the server, it must end with a period. Responsible person is the domain mailbox name for the responsible person, should always end with a period. Refresh interval is the amount of time the secondary server will wait before checking the master server for an updated copy of the zone, by default it is 15 minutes. Retry interval is the amount of time, default 10min secondary server waits before re-trying zone transfer. Expires after is the amount of time secondary server without contact with master server continues to answer queries, default is 1 day after that data is unreliable. Minimum (default) TTL this is the time to live applied to all resource records in the zone, default is 1 hour. TTL for this record is the TTL for the SOA resource record, overrides general TTL setting above this box.
- Name Servers tab – this tab allows administrator to create NS resource records, they can be created only here (unless manually created). Every zone must contain at least one NS record. In Windows Server 2003 for primary zones the zone transfer is allowed by default only to the servers specified in the Name Servers tab.
- Security tab – ACL that defines who can manage and modify zone file data.
- WINS tab – used to configure WINS servers to aid in name resolution. When administrator configures WINS, a WINS resource record is added to the zone database. If WINS and DNS servers are set for forward and revers zones, then data is added to both forward and revers zones.
- Zone transfer tab – allows the system administrator to restrict the servers to which zone data will be transferred. Primary servers have zone transfers either disabled or limited to the NS tab servers. Administrator can also specify the servers they want data to be transferred to by IP address. Secondary servers by default don’t allow zone transfers, need to enable them 1st. The ‘to any server’ setting was enabled on Windows 2000, but was a huge security hole. Administrator can also notify the secondary servers of a zone file change, notification is enabled by default. There is no need for notification in AD integrated zones. If the server to which DNS data is to be transferred has multiple IP addresses on the same subnet, then they all have to be included for transfers to be successful.
[3.13] Configuring Zone properties – AD integration
- Application directory – is replicated among DC, applicable to DNS application directories are DomainDnsZones and ForestDnsZones. The name of each application directory is the previous name concatenated with the FQDN, for example DomainDnsZone.microsoft.com. The domain application directory is replicated to domain servers, forest application directory is replicated to all servers in the forest. Administrator can add new application directories for the use of DNS server using dnscmd [server] /createdirectorypartition [full partition name (FQDN)] to enlist other DNS servers in the partition, administrator needs to issue command dnscmd [server] /enlistdirectorypartition [full partition name (FQDN)] There are no application directories on Windows 2000 (this is new to Windows 2003) To work with application directories administrator needs to be a member of the enterprise administrators security group.
- There are four options for zone data replication when the administrator chooses to use AD-integrated zones. On the general tab of zone properties a button is available to change zone replication scope when the zone is AD-integrated. Zone data can be replicated
- To all DNS servers in the AD forest – broad scope of replication
- To all DNS servers in the AD domain
- To all DC in AD domain [domain here] – select if Windows 2000 DNS servers are to load AD zone
- To all DC specified in the scope of the following application directory – replicates as the application directory specified, if zone is to be stored in specified application directory partition the DNS server hosting the zone must enlist in the application directory partition that contains that zone.
- Secure dynamic updates can be performed only in AD-integrated zones, they use Kerberos for security. Only computers that have Windows XP/2000/2003 are capable of secure updates.
- DnsUpdateProxy group – used to solve a problem that occurs with secure dynamic updates. The computer that registered the record becomes its owner and it is the only PC that can update it. Thus, for example if DHCP server registers A record for a PC, it becomes its owner, not the PC to which A record points. When DHCP server is a member of DnsUpdateProxy group it is prevented from taking the ownership of the record – secure less entry exists till the real owner takes its ownership.
- Only primary zones can be AD-integrated. Secondary zones are always stored as text files, there are no AD-integrated secondary zones since AD-integration makes all servers into peers.
[3.14] Advanced DNS server properties
- Disable recursion – DNS server uses recursion to resolve client queries if the disabled default state is left as is. When the option is enabled the DNS server does not answer the query for the client but instead provides the client with referrals. When recursion is disabled the DNS server will not be able to use forwarders.
- BIND Secondaries – DNS server does not use fast transfer format when performing a zone transfer to a secondary server based on BIND. This allows for a compatibility with older versions of BIND, versions 4.9.4 and later support fast zone transfer and this option should be disabled for these. The fast transfer format is efficient, it allows data compression and multiple record transfer per TCP message, it is always used among Windows based DNS servers. This option is enabled by default.
- Fail on Load if Bad Zone Data – when this option is disabled (default setting) the DNS server will load zone even if errors are found in the database file. Any errors that occur will be logged. When option is enabled damaged zone database does stop load operation dead cold.
- Enable netmask ordering – when selected (default setting) this option makes sure that when a client query matches multiple A records the one in client’s subnet is returned first in a response list that contains all matching records. This option is also sometimes referred to as LocalNetPriority option (this comes from same referral in dnscmd utility).
- Enable round robin – this setting (enabled by default) ensures that for a query that matches multiple A records the first entries in the returned response list rotate. This method is used as a poor man’s network load balancing. Local subnet priority is taken into consideration before round robin is. When round robin is disabled records are returned in the order they are in the zone file.
- Secure cache against pollution – this setting (enabled by default) prevents the DNS server form accepting referrals that might be polluting its cache or be insecure. The server will cache only these records that have a name that corresponds to the domain for which the original queried name was made, any other are discarded.
- Name checking – the default setting of Multibyte (UTF8) ensures that the DNS server verifies that all domain names confirm to the Unicode Transformation Format (UTF). Use strict RFC if the server cannot work with UTF, other two options are only for special circumstances (they are: all names and non-RFC).
- Load zone data on startup – specifies from where initial zone data is to be loaded from, by default it is from active directory and registry. Another storage option is to use the registry or a file. The file is from BIND based DNS servers and is usually named Named.boot in older BIND 4 format (not BIND 8).
- Enable automatic scavenging of stale records – this option is disabled by default, when enabled DNS server will perform scavenging of stale records automatically in pre-defined time intervals.
[3.15] Creating zone delegations
- When administrator delegates a zone he assigns a portion of authority over main DNS namespace to subdomains within main namespace. The responsibility is passed from the parent domain to the subdomain.
- Network administrator should consider delegation when:
- There is a need for hosts whose names are structured around department affiliation
- Central company administrative body wants departments to handle their own business
- Network traffic is creating the need to distribute query load on multiple DNS databases
- The parent zone will need to contain the A record and the NS record of the child zone, both records are created automatically when new delegation is created. The glue record (A resource record) is hidden from view of the administrator, but it is still there.
- The NS record is known as the delegation record, it is used for advertising of the name server and performs the actual delegation. The A resource record is known as the glue record, it is needed if the authorized server is also in the delegated zone.
- Delegation takes precedence over forwarding, i.e. if a server knows of a child that can answer the query it will contact it not do a forwarding query request.
[3.16] Stub Zones
- Stub zone is a shrunk copy of a zone updated at regular intervals that contains only the NS records belonging to the master zone. As a result of that, the server that hosts the stub zone doesn’t answer queries directly, instead it directs queries to name servers specified in stub zone’s NS records.
- Stub zone keeps all NS records from master zone current. When administrator configures a stub zone he needs to specify at least one name server whose IP address doesn’t change. Any further name servers added to the zone will be added automatically through zone transfer. The administrator is unable to modify the stub zone data directly, the data is modified automatically when the parent zone changes.
- When delegating control for a zone to another server the master server will not learn of new servers added to the child zones. Administrator needs to setup a stub zone for the child on the master server to ensure that the master server will learn of the new name servers in the child zone.
- Stub zones can also be used to provide additional connectivity across domains without redundancy provided by secondary servers. Enhanced connectivity is achieved without increase in replication traffic.
- A stub zone contains SOA, NS and A glue resource records for authorative DNS servers in the zone. The SOA record points to the master server while NS records point to other name servers, the A record hold IP addresses of authorative servers.
- The stub zone name resolution process: client queries a server with a stub zone, DNS server uses stub zone resource records in resolution. Authorative servers in the stub zone are contacted , if they cannot be a standard recursion is performed. The response from stub zone’s authorative server is not placed in the stub zone but cached with TTL as in stub zone SOA record.
- Stub zones offer the following advantages
- Stub zones improve the name resolution by allowing the server to perform recursion without using the root servers
- Keep foreign zone information current by updating the stub zone at regular intervals the zone keeps an accurate list of the name servers in the child zone.
- Simplify DNS administration by distributing zone information without the need for secondary zones.
[3.17] Understanding DNS troubleshooting tools
- Nslookup is a command line tool used in querying the DNS server. In the interactive mode the commands entered are case sensitive. Here is a short description of more advanced options available:
- The command set q=[recordtype|any] is used to search for specific records
- To use a different server use “server new_server_name”
- Network administrator can use the ‘ls’ command to simulate a zone transfer, all data can be listed. Note that by default on Windows Server 2003 zone transfers are restricted to approved hosts only. The -a switch returns alias and canonical names, -d returns all data, -t filters by type
- DNS debug log is found in %systemroot%\system32\dns folder and is named Dns.log. Administrator should view this file when the DNS service is stopped. The default file format is RTF, to open it user need WordPad (not notepad or other basic text editor). By default only DNS errors are logged but administrator can change that from the DNS server properties Debug logging tab.
- The DNS event log logs everything by default, administrator can change that default behaviour by using the Event Logging tab in the DNS server properties. This is a Windows standard log file and all size and filtering options are the same as for any other log.
- Commands entered into nslookup during interactive mode are case sensitive
- Support tools include utility called DNSLint which is useful when troubleshooting delegation issues
- The dnscmd tool includes two useful troubleshooting switches, /clearcache and /info (whose actions are self explanatory)
[3.18] Stale records
- Stale records (records that are no longer valid) can be left on the server. One common way this can happen if client PC is not allowed to clean after itself, it is improperly disconnected from the network.
- The following futures of the DNS server in Windows 2003 help system administrators get rid of stale records:
- Records can have a time stamp attached to them in primary zone (as per DNS server time), manually added records have time stamp value of zero indicating that they don’t age
- Records are aged as per TTL. Secondary zones are scavenged by the primary server.
- If stale records persists on the system, they may cause following problems:
- Improper name resolution, a FQDN prevented from being used by another PC
- Poor server performance, too many records to search and very large zone files to transfer
[3.19] Using DNS monitoring tools
- To monitor the resource impact of DNS server on the PC use performance monitor, perfmon.exe. The DNS object includes 62 different counters that computer can keep track of.
- For AD integrated zones there is an option of using AD native monitoring to trace the replication traffic. Replmon.exe from Windows support tool is used to monitor and troubleshoot AD replication.
- The replication monitor will display 5 or more directory partitions, administrator needs to find out in which one is DNS zone data stored. The command dnscmd /zoneinfo [domain name] can be used to find zone information. Once directory partition is known, administrator can use replication monitor to force zone replication – r-click the directory and choose synchronize with all servers. Any general replication errors are displayed by the replication monitor.
- For more advanced AD debugging use repadmin utility provided as part of Windows support tools.
[3.20] Improving DNS server performance
- By installing a caching only server close to the clients the load on the primary and secondary server’s is greatly decreased
[3.21] Other points
- DNS cache is cleared each time DNS service is restarted. DNS cache can also be cleared using dnscmd /clearcache from command line
- DNS server test consist of a single reverse lookup of loopback device, if it fails make sure you have record named ‘1’ in reverse lookup zone 0.0.127.in-addr.arpa. Another test checks for recursive DNS.
- Zone transfer can be started if one of the four events occurs:
- Refresh interval of the primary zone SOA record expires
- The secondary server boots up (DNS service is restarted)
- Change occurs in the configuration of the zone records on the primary server and it notifies the secondary of the change
- DNS console is used at the secondary server for the zone to manually initiate a transfer from its master server
- When zone transfer occurs it is by default incremental zone transfer (IXFR) which transfers only changed records, it is described in Request for Comments (RFC) 1995. Some older DNS servers that don’t support IXFR will use all zone transfer (AXFR) which is also supported by Windows Server 2003. The older standard transfers the whole DNS database.
- Stub and secondary zone update operations explained
- Reload – reloads the zone from the local storage of the DNS server hosting it
- Transfer from Master – the server hosting the zone checks its SOA record for expired data and performs a zone transfer from zones master server
- Reload from Master – this operation performs a zone transfer from the zone master server regardless of the serial number expire date in the zone’s SOA record
Part 4: Implementing, configuring and troubleshooting DHCP servers
[4.1] Configuring DHCP server
- DHCP server allows system administrator to automatically assign IP addresses, subnet masks and other configuration information like DNS and WINS servers to client computers on local network.
- Through the use of DHCP server network administrators save time required for configuration and re-configuration of computers.
- Administrator should install DHCP service on a computer that was assigned a static IP address (this prevents clients to look all over the subnet to get their addresses renewed)
- You need to have administrative privileges to install and administer DHCP server
- You need to authorize your DHCP server if it is to be integrated in AD network (Person authorizing the DHCP server needs to be a member of the enterprise administrators security group). Stand alone DHCP servers can still be deployed but they should not share subnet with authorized DHCP servers. Stand alone servers that are deployed together with authorized servers are called rogue servers. The rogue server will automatically stop its DHCP service when it detects authorized server on the subnet.
- DHCP scope is a pool of IP addresses within a logical subnet which DHCP server assigns to its clients. Scopes provide for IP address management.
- When an IP is offered for a client it is said that IP address is a lease. When the lease is made it is said to be active. Leases are renewed for different reasons, client will try to renew when 50% of old lease expires.
- The DHCP server has to have IP address compatible with the scope it is assigned, i.e. the server itself has to be in the scope.
- The 80/20 rule – to provide for fault tolerance in an environment with two DHCP servers, the first server (A) should have 80% of the addresses for his local subnet, 20% of addresses for the subnet on which another DNS server (B) is present. The same assignment is repeated on server (B) which gets 80% of addresses in its own subnet and 20% of addresses in the subnet on which server (A) is present. This concept is applied when 2 or more DHCP servers are present.
- Reservations are placements in the scope reserved for specific computers. You reserve IP address for a specific network adapter using its MAC address. To create new reservation open the scope in which you want to create new reservation r-click Reservations and select New Reservation. Reservations cannot be used interchangeably with manual static configurations. Reservations don’t work when address is simultaneously reserved and excluded. Reservations are used as an alternative to static addresses for computers that are no essential to network function (i.e. not critical servers).
- The scope needs to be activated before the server can hand out addresses (for AD integration it also need to be authorized). To activate a scope open the DHCP console, select scope you want to activate, from actions menu select Activate.
- Exclusion range – group of IP addresses residing in the scope that administrator doesn’t wish to be leased to DHCP clients
- DHCP is na extension of the Boot Protocol (BOOTP). Microsoft DHCP server can assign addresses to BOOTP clients.
[4.2] DHCP scope options
- DHCP options can be configured on reservation, scope and server level. To configure options for reservation, select it and from the actions menu choose ‘Configure options’. To configure options for a scope select scope options folder and then ‘Configure options’. To configure server options select server options folder and then ‘Configure options’
- There are more than 60 different options available for the DHCP server, the most common (important ones are):
- 003 Router – IP addresses of routers on the same as client subnet, used by client for packet forwarding
- 006 DNS servers – IP addresses of DNS servers
- 015 DNS domain name – domain name DHCP clients should use when resolving unqualified names during DNS domain name resolution; allows for client dynamic DNS update
- 044 WINS/NBNS servers – IP addresses of WINS servers
- 051 Lease – special lease option for remote clients
- Options set on the DHCP server take effect when clients renew or obtain new lease
[4.3] DHCP scope futures
- Scope name page – you can give your scope a name
- IP address range – you can define starting and ending IP address of the scope and the subnet mask. You should choose consecutive address range of the subnet and later exclude the computers with static addresses.
- Add exclusions – these are the addresses that will not be leased to DHCP clients
- Lease duration – length of lease
- Configure DHCP options – whatever to configure DHCP options for the scope through further pages in the wizard or later in the DHCP console, you can configure options at the reservations level, scope level or server level. There are more than 60 different DHCP options.
- Router (Default Gateway) – optional, which default gateway should be assigned to DHCP clients
- Domain name and DNS servers – optional, which domain will be assigned as parent and which DNS servers will be given to the DHCP client
- WINS servers – optional, addresses of WINS servers that are to be assigned to the DHCP client
- Activate scope – optional, whatever the scope will be activated after the DHCP wizard finishes
[4.4] Managing DHCP server
- To change the DHCP server status open the DHCP console, go to actions menu and select one of Start, Stop, Pause, Restart and Resume
- You can also use the Net command to change the status of DHCP server, the command line syntax is Net [operation like start/stop/pause/continue] DHCP_server
- You can manage DHCP server from command line using netsh command line tool, with dhcp subcommand option.
- Superscope is an administrative grouping of scopes that is used to support multiple logical subnets also known as multinets on a single network segment. They exist on 1 physical network and work with multiple logical networks. This method is used for DHCP server to provide clients with addresses from multiple scopes. Administrator needs to delete the superscope before deleting any scope that is contained within it. Superscopes group scopes that can be activated together, it doesn’t carry any details about the scopes.
- To move a scope to a new addressing range first create a new scope with new range and then activate it and deactivate the old scope. Either manually or by waiting make sure all clients move to the new scope, delete old scope.
- If a superscope is not defined on a server then only one scope can be active at a time.
- In order for the DHCP server to not assign already assigned IP address to a new client DHCP has conflict detection (advanced tab of DHCP server properties) in which the server pings the address it is about to assign in order to check whatever it is free.
- Multicast scope – regular DHCP scopes to provide client configurations by allocating ranges of IP addresses from the standard classes (A, B, or C). The multicast address range uses an extra address class, D, IP addresses from 220.127.116.11 to 18.104.22.168 for use in IP multicasting. In every TCP/IP network, each host is gets own IP address, from regular address classes. The unicast IP address is assigned before host can support and use secondary IP addresses, such as a multicast IP address. Multiple PCs can share the same multicast IP address. On private networks it is recommended to start with 22.214.171.124 range. When a packet is sent with destination that is a multicast address it gets delivered to all PCs that have it. Multicast scopes are supported through the use of MADCAP (Multicast Address Dynamic Client Allocation Protocol).
- DHCP server performs backup by itself up every 60 minutes, you can also do manual backup. Manual backup is performed from Backup command in the DHCP console. When the backup is made the whole DHCP database is saved. Some things, like credentials are not saved. The manual backup default location is %systemroot%\system32\dhcp\backup. The following data is backed up: all scope information including superscopes and multicast scopes, reservations, leases, all options. The database backup file is called DHCP.mdb.
- To change backup behaviour of DHCP server, one needs to edit the following registry keys:
- To migrate DHCP server all you need to do is move the database, simply back it up and then restore it on the new computer
- Jetpack.exe is a tool that allows support for offline compaction and repair of Jet databases such as DHCP or WINS. You can use dynamic compacting of DHCP server database without the need to bring server offline, but offline defragmentation is more efficient. Compacting should be done whenever the database size grows beyond 30 Mb or you get corruption errors.
- Option class – they way DHCP server manage provided to clients within a scope. When an option class is added, clients of that class can get class specific configuration options. There are two types of classes, Vendor classes and User classes.
- Vendor class is used to assign vendor specific options to clients that share common vendor
- User class is used to assign options to clients that share user defined similarities
- The DHCP server has a default user class called ‘Default routing and remote access‘. Options in this class apply only to clients that request address while connecting through Routing and Remote access. You can set different options, for example you can assign shorter leases to the clients connected remotely (this is option number 051 Lease).
- To create your own user or vendor class open DHCP console and r-click the DHCP server and select ‘Define User classes’. After defining a new class you need to assign ID to it and options. On the client side you need to make sure that the clients know in what class they are, you do this by executing ipconfig /setclassid. To view all classes allowed by the DHCP server execute ipconfig /showclassid
[4.5] DHCP and DNS working together
- Windows 2000 and later computers try to register their own A record but they ask DHCP server to register PTR record
- By default the DHCP server only attempts to update client records if such operation is requested by the client computer
- You can also configure the DHCP server to attempt to update A and PTR records regardless of clients requests
- By default the DHCP server discards the A and PTR records when the lease expires (you can set it so they are kept)
- By default DHCP server will not perform dynamic updates on behalf of older Windows clients that don’t request updates to be done
- The update settings are configured on the DNS tab of DHCP server properties
- DnsUpdateProxy is a security group that sets records updated/created by its members in security less setting (objects created by members of this group have no security related settings). When a DHCP server that is not a member of the group modifies or creates an entry in the DNS, it becomes the owner of that entry and only it can change the entry. This might create problems when for example, client cannot modify a record because server took ownership of the record. The membership of the DHCP server in this group solves stale record problems.
- Usage of the DnsUpdateProxy group also might cause some problems if the DHCP service is installed on a DC since all records created are not secure (same holds for the A records of the non-DC DHCP servers, but one can modify these manually giving them an owner). In particular, the records created by DC netlogon service are not secure.
[4.6] Analyzing DHCP server traffic
- Communication between DHCP server and DHCP client for lease:
- Client seeking IP address brodcasts on the network DHCPDISCOVER message
- Any DHCP server that receives the message and has available IP addresses sends a DHCPOFFER for a period of time called lease
- If no DHCP servers are available, the client can use APIPA or use alternative configuration, older clients fail to initialize and continue to send DHCPDISCOVER messages every 4 times per 5 minutes
- Client selects one of the offers and brodcasts DHCPREQUEST indicating its selection
- DHCP server sends DHCPACK message to the client with possible configuration information like DNS server IPs
- Communication between DHCP server and DHCP client for lease renewal:
- Client computer sends DHCP Request message to the server that leased it the IP address, it contains the FQDN of the client computer. The DHCP request message is also used by the client to request dynamic updates from the DHCP server.
- If the DHCP server can be reached, it sends DHCPACK message back indicating renewal of the current lease (or remains silent)
- If the DHCP server cannot be reached then the client waits until it reaches the rebinding state which usually occurs 7 days after last lease renewal. When the state is reached the clients attempts to renew with any available DHCP server.
- If the server responds with DHCP offer message the client renews the lease and continues its operation
- If the lease expires and client doesn’t renew it ceases to use the leased IP address. It then tries to obtain new IP address lease.
- DHCP Server can also issue DHCPNACK response indicating that the requested IP address is unavailable. In this case lease renewal fails and client is forced to initiate new lease request process.
[4.7] DHCP audit logging
- In its default configuration the DHCP server writes daily audit logs to the folder %systemroot%\system32\dhcp. The text files that are created there are named after the day of the week they were created on. You can modify file location from the advanced tab of the DHCP server properties. The files are in the format DhcpSrvLog-[3-letter day of the week abbreviation].
- You can turn logging off on the general tab of DHCP server properties. By default, the largest log file is 1Mb and logging stops if the amount of disk drive space falls under 20 Mb.
- The log file entry contains the ID, date, time, description, IP address, host name and MAC address. A CSV format is used for columns, some may be blank.
- The log file contains a summary of the event IDs that show up in the main body of the log file up to event ID 50. Event IDs that have number above 50 are used for AD authorization issues.
[4.8] DHCP problem resolution
- The first step of fixing DHCP related problems is to make sure that there is no problem with the client, use ipconfig command to verify connectivity. If an address conflict occurred you will by warned of this by system tray warning popup as well as address conflict event in system log.
- Dhcploc.exe can be used to locate DHCP servers including rogue servers, this utility is part of Windows support tools. For AD authorized servers only, use command netsh dhcp show server.
- The repair button on the remote connection information screen performs these functions:
- Broadcast DHCP Request message to renew the lease, if this computer is a DHCP client
- Flush the arp cache, the same thing as arp -d
- Flush NetBIOS cache, same as nbtstat -R
- Flush DNS cache, same as ipconfig /flushdns
- Register computer with WINS server, same as nbtstat -RR
- Register computer with DNS server, same as ipconfig /registerdns
- If the computer fails to connect to DHCP server make sure the network medium is up and the DHCP server is operational. Make sure the scope is active and that it still has leases available for its clients.
- DHCP server knows from which scope to assign address by looking at the address of the 1542 compliant router added to the discovery packet sent out by the client computer (no extra IP added means local subnet)
- If a client get an IP address from DHCP server, but it is from the wrong scope, verify with dhcploc utility presence of competing DHCP servers. Make sure all authorized servers are leasing from non-overlapping ranges. A single DHCP server can have multiple scopes active on it, scope not native to DHCP server’s subnet are used for remote clients. DHCP matches remote clients to their scope when RFC-1542 compliant router or DHCP relay agent is properly configured. The DHCP Request message contains field named ‘Giaaddr’ which contains originating subnet, when it is empty client is assumed local and assigned address from local scope.
- For a server to hand out addresses it must be on the same subnet as its clients and DHCP service must be bound to the connection, this is checked from advanced tab in server properties.
- Make sure scope is active and that scope’s network ID matches that of DHCP server. Also, through it sounds trivial, make sure DHCP server has some addresses available for a lease. To accommodate more users you can simply shorten the lease duration. Don’t forget static addresses exclusions and reserved addresses
- If the problem lies within the DHCP database, you will need to reconcile the DHCP data for one or all scopes. The data is stored in detailed and summary form on DHCP server, when reconciling the data in these two forms is compared.
- You can also use the jetpack utility to perform database compaction or use netsh dhcp server set databaserestoreflag 1
- When the administrator needs to renew IP addresses on few computers he can issue command ipconfig /renew on each one of them, in the case there are more computers, it is easier to just re-boot them using shutdown /i command line utility (show nice GUI interface).
- To get a mac address only quickly and of any computer, including remote PCs, use getmac /s /v [server name] command line utility
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows networks
[5.1] Chapter definitions
- Routing is the process of transferring data from one local area network to another local area network
- Bridge is a network connection that connects two or more network segments and shares traffic as necessary according to hardware addresses. A bridge is a layer two device (data link).
- Router is a device that receives and forwards traffic according to software addresses. A router is a layer three device according to OSI model.
- Network interface is a software object that connects to a physical device such as modem or network card
- Demand dial interfaces – these are interfaces such as VPN, persistent dial-up connection and PPPoE connection. New demand dial interfaces are added through Network Interfaces node.
- Windows includes software router called Routing and Remote access service. This is a multiprotocol router capable of LAN to LAN, LAN to WAN, VPN, NAT routing through IP networks. It also supports routing futures such as IP multicasting, demand-dialing, packet filtering, DHCP relay, build in support for RIP 2 and OSPF.
- Unnumbered connections – connections in which one or both of the logical interfaces fail to obtain an IP address. The unnumbered connections happen mostly with demand-dial connections when one (or both) routers don’t support APIPA
- NAT stands for network address translation and is a service that is part of a router in which the header information in IP datagrams is modified by the router before being sent out. This allows many computer with private addresses to share a single public IP and still be able to surf the net.
[5.2] Routing with Routing and remote access
- The server computer needs to be configured with Routing and remote access since it is installed in disabled state. It will detect all installed network adapters and configure them. However, the system administrator will need to setup all additional VPN and dial-up connections since they are not pre-configured during setup.
- When you add a new network card to already configured Routing and Remote access service, you will need to add a new interface through Routing and Remote access console
- The number of network segments to which R&R access can act as a router is limited by the number of interfaces installed on the server.
- Routing and Remote access properties for the IP routing node:
- The general tab allows the network administrator to configure R&R access service as LAN router, demand dial router or remote access server.
- The security tab allows the network administrator to configure authentication methods, connection request logging and preshared keys for IPSec protocol. All options set on the security tab are applied to remote access clients and demand dial routers.
- The IP tab allows the network administrator to configure how IP packets are routed over LAN, remote access or demand-dial connections. You have an option to use DHCP server to assign IP addresses to remote hosts. If the DHCP server is not on the same PC as the R&R access service it must be connected through DHCP relay agent. If you don’t have a DHCP server close at hand you can use static address pool, R&R access service will act as a DHCP server. The “Enable Broadcast Name Resolution” check box when checked enables R&R access clients to resolve computer names on all network segments connected to R&R access server without the help of DNS or WINS servers, this option is enabled by default and it works by permitting NetBT broadcasts from remote clients.
- The PPP tab allows the network administrator to authenticate and negotiate dial-up connections. You can enable or disable following options: Multilink connections, Link control Protocol (LCP) extensions, software compression and Dynamic Bandwidth Control with BAP or BACP, all options are enabled by default.
- Multilink connections allow multiple physical links to operate as a single logical link increasing the bandwidth
- Dynamic Bandwidth control with BAP or BACP when bandwidth demands change multilink connections are created or dropped to allow for changes, both protocols work together to provide bandwidth on demand (BOD)
- Link Control Protocol (LCP) Extensions – support for advanced PPP futures such as callback, disable if client is older and cannot use these advanced futures
- Software compression – software based compression of data, leave on unless modem used can compress data at hardware level (no need to do idle work at software level)
- Logging tab allows administrator to select the events to be logged, by default only errors are written to the log file. Log files are located in the %systemroot\tracing directory.
- IP routing properties, accessed from General Properties dialog box associated with general subnode of IP routing node
- Logging tab – which IP routing events are to be logged, by default only errors are logged
- Preference levels tab allows the administrator to assign a priority to routes collected from various sources. When two different sources provide conflicting routing information only one source’s data can be entered into the routing table, this data comes from the source with higher priority setting. The highest priority is 120, lowest is 1.
- Multicast scopes – add/remove multicast scopes (to add new scope provide its name, base IP address and mask)
- Routing and Remote access server supports SLIP and PPP for serial asynchronous connections. PPP – Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line Internet Protocol (SLIP)
[5.3] Routing tables explained
- There are three types of routes that one finds inside a routing table:
- Default route – there is a single entry for this route in the table, the address provided is used as a destination for packets whose address doesn’t match any other entry in the routing table. This route is indicated by both address and network mask of 0.0.0.0
- Host route – provides route to a specific host or a broadcast address, this type of routes is marked by network mask of 255.255.255.255
- Network route – provides route to a specific network, this type of routes can have a subnet mask between 0.0.0.0 and 255.255.255.255
- To view the routing table of any computer (for any computer has one) from command line type route print
- Routing tables are organized into five columns, which are in the following order: Network destination, Netmask, Gateway, Interface and Metric
- Network Destination – router compares entries from this column with destination address of every IP packet. The 0.0.0.0 entry is the default route, 127.0.0.1 is the loopback device. Each entry with 126.96.36.199 refers to multicast route. Entries with last octet of 255 represent broadcast addresses, the 255.255.255.255 is the limited broadcast address which is general for all networks and routers, other broadcast addresses are limited broadcast addresses.
- Netmask – the value of this column determines which part of the IP address packet’s destination is compared to the entries in the Network Destination column. The closest match determines the route that the packet will be given
- Gateway – the value represents the address the packet will take if this particular route is chosen. The address should be different than the Network Destination value on the same row in the table. The gateway is the direction a packet takes in its voyage to the destination address (network destination). It is logical that the direction one must take to arrive at X is different then X itself.
- Interface – the value of the local network interface that will be used to transport the packet if this route is chosen
- Metric – the cost of using a route, lower metric values carry more weight compared to higher values, so value of 1 is higher than 50. RIP uses the number of hops to determine route’s metric.
- By default the computer will preset certain route entries, however to implement smooth communication with hosts that are outside broadcast range one must set up either static or dynamic routing
- Static routing is when administrator adds new routes to the routing table, routers do not share routing information and tables have to be manually checked for accuracy. This makes static routing difficult in large networked environments. Static routing works best for small single path internetworks with 10 or less subnets. Static routing supports unnumbered connections. Static routes survive server restart since they are persistent.
- You can add new static routes from the Routing and Remote access console or using the command line, route add [destination address] mask [netmask] [gateway] metric [metric cost] if [interface]. Please note that the static routes added with the command line utility route are not persistent by default. To make them persistent use -p switch. If routes are not persistent they are not listed under the ‘static heading in the R&R access console.
- To delete a route from command line use route delete [destination address]
- In real life static routes are rarely used since RIP is easy to configure. You might need to use static routes for connections to remote routers that are intermittent since dynamic routing protocols require to much communication over the link.
- You should avoid placing default route for two or more routers that point to each other since that puts unreachable traffic into an endless loop.
- Dynamic routing uses RIP 2 or OSPF to share information between routers and ensure that the routing tables are build and kept accurate dynamically
- There is nothing to be done as far as configuration is concerned by the administrator if the router is physically connected to all network segments
[5.4] Configuring routing protocols
- Windows Server supports four routing protocols, RIP, OSPF, multicast IGMP and DHCP Relay agent
- RIP (Routing Information Protocol) uses lowest cost route choosing, routes with cost higher than 15 are discarded, limiting the network size. RIP routers advertise their whole tables to each other every 30 seconds.
- RIP works best in small to medium sized networks with a maximum of 15 routers, multipath networks with dynamic topology are well suited for RIP.
- The main advantage of RIP is its ease of use, its disadvantage is its limited hop based cost estimate and 15 hop size limit
- RIP can use simple password authentication that prevents attacker from polluting the routing tables, unfortunately passwords are plain text. You can configure list of routers (peer filtering) from which your router is to accept RIP announcements (by IP address). You can configure route filters on each RIP interface thus making routes that are reachable from your network the only one’s that will be considered for addition to the routing table.
- By default RIP either uses broadcasts or multicasts (only in RIP 2). To prevent traffic from being sent to nodes that are not RIP routers system administrator can set RIP neighbors.
- OSPF (open shortest path first) is an efficient protocol which uses shortest path first algorithm to compute routes. OSPF routers don’t share routing tables, instead they relay on a map called link state database of the internetwork. Neighboring routers form an adjacency.
- The OSPF protocol can scale to very large networks due to no hop limit, fast convergence times, little network bandwidth and loop-free routes. Unfortunately it is not supported on the 64bit edition of Windows 2003 server.
- The changes to the network topology are sent to all routers in the network, which recompute their routing tables
- The OSPF divides the network into areas (collection of continuous networks) which are connected to each other through backbone. Each router keeps a link state database only for areas to which it is connected. Area border routers connect to the backbone area and other areas. OSPF also supports stub areas which contain only one entry and exit points.
- DHCP relay agent is a routing protocol that allows client computers to obtain an address from a DHCP server on a remote subnet. DHCP server send their DHCP Discover packets as broadcasts that are blocked by routers, one either needs to deploy RFC 1542 compliant router or a DHCP Relay Agent for these packets to get through to the other subnet. You cannot use DHCP Relay Agent on a computer that is also running DHCP server, the NAT (with automatic addressing turned on) or ICS. You install DHCP relay agent just like any other protocol. Routers that are RFC 1542 compliant use BOOTP (boot protocol) for DHCP packet forwarding.
[5.5] Demand-dial routing
- You can enable the on demand-dial routing from the general tab of the Routing and Remote Access properties
- You can set dial credentials, get unreachability reason, set IP demand-dial filters and dial-out hours from the actions menu. These options are only for the demand dial interface.
- On the properties page of the demand-dial router you can set modem futures such as source phone number, dialing properties such as call frequency, security protocol used – CHAP by default.
- You can access port and device properties from the ports node. From this dialog box you can configure your modem as to whatever it will be used for inbound or/and outbound connections. You can also set devices phone number.
- Clicking on General node of IP Routing when demand dial is activated reveals some specific to dial-in commands (when one r-clicks on the demand dial interface):
- Update routes is used to update routes if RIP is installed. Static routes are updated and are known as autostatic routes. Autostatic routes are used instead of normal RIP router to router communication due to the nature of the connection (demand dial).
- TCP/IP statistic allows administrator to see information similar to one provided by ipconfig and netstat
- IP routing interface properties is a shortcut to another dialog box that has General, Multicast boundaries and Multicast heartbeat tabs
- On the General tab “Enable IP Router Manager” is enabled by default, it is service that is responsible for numerous futures such as ip packet filtering, if you disable it the administrative status of the device changes to disabled. Another option is “Enable Router Discovery Advertisements” check box, off by default, it is a future in which network hosts send out router solicitations to discover routers, it needs to be configured at the host. Pocket filtering is handled by two buttons, Inbound and outbound filters. Part of packet filtering is the “Enable fragmentation checking” check box, off by default.
- Multicast boundaries tab – administrative barriers for forwarding of IP multicast traffic. If boundaries didn’t exist then IP multicast router would forwards all appropriate IP multicast traffic. You can configure the boundary using multicast scope or TTL in the IP header.
- Multicast heartbeat tab – server listens for a regular multicast notification for a specified group address to verify that IP multicast connectivity is available on the network. You can configure timeout interval and the group address.
- Demand dial router to router configuration options:
- Connection endpoint addressing – end point of a connection that goes over a public network must be identified by an endpoint identifier (such as a phone number).
- Both ends of the demand dial connection must be configured for normal (bi-directional) traffic to flow, they both need R&R access to be running
- Authentication of the caller router is based on credentials that correspond to user account, authorization of the caller router is based on user permissions.
- The process of differentiating a router and a user calling is done by matching the user name to the interface being called, it is a router calling if the user name matches exactly the name of the demand dial interface on the answering router.
- Static routes are to be configured for both connection ends, the check box ‘use this route to initiate demand dial connection’ should be checked
[5.6] Configuring NAT
- NAT – network address translation is a service that modifies packet header information before sending them to their destination.
- The main difference between NAT and ICS is in their configuration options. ICS is simple and pre-configured, while with NAT you can choose any IP range for the private addresses and you can disable both DHCP and DNS proxy capabilities. You can configure multiple external interfaces with NAT and NAT recognizes static addresses within your network. ICS doesn’t check for the existance of static addresses in its scope, this can cause problems.
- NAT needs some configuration to work, ICS is just single checkbox. For NAT you need to configure external interface and make sure you add a route to it. Both DHCP and DNS server should be present.
- The firewall in ICS is called Internet Connection firewall, while in NAT it is called Basic Firewall
- For both NAT and ICS the computer running the translation service becomes the default gateway for the client PCs
- NAT properties include ‘Services and ports’ tab which can be used to map internal service to external device using protocol and port number that given service uses.
- ICS is available on computers running Windows 98 and above, while for NAT Windows server 2000 or higher is needed
[5.7] Packet filtering
- Packet filter – a rule for an interface that restricts or allows traffic based on: direction, protocol, source address and destination address. There are two types of filters, outbound and inbound. Administrator may also choose to add filters through remote access policy.
- You can set to allow all traffic through except packets administrator specify or discard all traffic except packets allowed by the filters to specific PC (basic firewall block all traffic that is configured as inappropriate)
- You can create new packet filters through Routing and Remote access console, IP routing node, either General or NAT/Basic firewall node.
- It is important to define correctly the filter direction and action
[5.8] Configuring remote access authentication
- Remote access is provided by either VPN or dial-up networking
- Every computer that is connected to Remote Access server gets an IP assignment
- The Remote Access server can use existing DHCP server in which case it will lease a block(s) of 10 IP addresses upon startup. If 10 addresses cannot be leased then the Remote Access server doesn’t work properly. If a block of 10 addresses is not available APIPA is used to assign IP addresses and its usage signifies problem with addressing as APIPA addresses are not designed for remote access.
- Alternatively administrator can choose to use static IP address range assignment. In that case the Remote Access server is used for IP address assignment.
- If the subnet you choose is different then the one on which Remote Access server is, you will need to configure routing on your router (as with any additional subnet)
- Remote Access server client computers must be authenticated to access the network, you can use Remote Authentication Dial-in User Service (RADIUS) or R&R access.
- When user places a call to Remote Access server he supplies his user name and password for authentication. For authorization, if the R&R access server is a domain member, domain logon is presented, for stand alone R&R access servers this step is omitted.
- The authentication method chosen is always the most secure method enabled in the Remote Access server client properties, remote server properties and the remote access policy applied onto the connection in question.
- If the user is changing his or her password during the authentication phase then the client and server must be using either MS-chap or MS-chap 2 for communication.
- Remote access protocols
- MS-chap (Microsoft Challenge Handshake Authentication Protocol) still supports NTLM (but not by default) Same encryption key is used for all connections, both authentication and connection data is encrypted
- MS-chap v2 no NTLM and stronger encryption (like salting passed encrypted password strings) both MS-chap protocols are the only ones that can change passwords during the authentication process. New key is used for each connection and direction. Not supported by Windows 95. Both authentication and connection data is encrypted.
- Chap – need to enable storage of a reversibly encrypted user passwords, encryption of authentication data through MD5 hashing. No encryption of connection data.
- PAP (Password Authentication Protocol) passwords are unencrypted as well as connection data
- SPAP (Shiva Password Authentication Protocol) – less secure than CHAP or MS-CHAP, no encryption of connection data
- EAP-TLS (Extensible Authentication Protocol – transport level security) – certification based authentication (EAP) used with smart cards, both authentication and connection data are encrypted, not supported on stand alone servers – only for domains. EAP-TLS is supported only by Windows Server 2003, Windows XP/2000.
- EAP-MD5 CHAP (Extensible Authentication Protocol – Message Digest 5 Challenge Handshake Authentication protocol) – this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like Chap. EAP is supported only by Windows Server 2003, Windows XP/2000.
- Unauthenticated access – connections without credentials, good for testing
- To modify security settings on the server r-click on the server icon in the Routing and Remote access console and select properties – security tab
- To modify security settings on the client select connection properties and then the security tab
[5.9] Authorizing remote access
- After remote connection has been authenticated, i.e. user credentials have been verified, the user has to be granted access to resources, a process known as authorization.
- User Dial-in properties for both dial-in and VPN connections are accessed from user properties dialog box, Dial-in tab
- From the dial-in tab administrator can set the following options:
- Remote access permission can be set to allow, deny or control through Remote Access Policy.
- Remote Access Policy option is available when the domain functional level is set to Windows 2000 native or higher. The allow access and deny access options override the options set in the remote access policy. However, when the action of allow is set the remote access profile is still read and applied, thus for example the logon hour restrictions set in remote access policy will apply if the action of allow access is set and logon hour restrictions are supplied.
- The remote access policy option is not available in AD Windows 2000 mixed mode. In this mode the allow access action corresponds to control through access policy. By default, allow permission is set.
- The caller ID can be verified if the phone system supports it.
- Callback options can be set to no callback (default), always callback to specified number and set by user. Callback requires Link Control Protocol (LCP) extensions to be enabled, which is default setting. During the initial call to the server only authentication information is passed.
- You can also assign user a static IP address and define static routes
- Remote access permission can be set to allow, deny or control through Remote Access Policy.
- Remote Access Policy is the preferred way to control authorization of users. It is a set of permissions and restrictions that is processed by remote access authenticating server and applies only to remote access connections. It is separate entity from the Group Policy and lives on the Routing and Remote Access server.
- By default there are two remote access policies created that can be read by either RADIUS or Routing and Remote Access servers and written to the local hard drive
- Connections to Microsoft Routing and Remote Access Server policy is set to match every connection except non-Microsoft network access server type
- Connections to Other Access Servers policy matches every connection. Due to ordering the first policy is evaluated first.
- You can restrict policy to members of a group. Only members of global security groups can serve as remote policy condition, no local or universal groups will do.
- Each policy has an associated policy profile which administrator can edit. You have dial-in constraints, IP properties, Multilink, Authentication, Encryption and advanced tabs
- On the dial-in tab you can restrict amount of time connection can last, specific connection phone number, media type and time of day
- On the IP tab you can set who supplies IP address, client or server, static address assignment and packet filters
- Multilink tab allows administrator to link multiple modems together, Bandwidth Allocation Protocol (BAP) can be used to when extra lines are connected and when they are dropped
- On the authentication tab you can specify protocols such as Chap, by default MS-Chap and MS-Chap 2 are enabled
- On the encryption tab security administrator can choose RSA or DES encryption. There are four different settings:
- No encryption – no security
- Basic Encryption (MPPE 40bit) – used for dial-up and PPTP VPN connections, 56bit for L2TP/IPSec
- Strong Encryption (MPPE 56bit) – used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 56bit DES is used
- Strongest Encryption (MPPE 128bit) – used for dial-up and PPTP VPN connections and for L2TP/IPSec VPN 168bit 3DES is used
- On the advanced tab one sets settings only readable for RADIUS server (not readable by R&R access)
- To enable remote users to connect to resources outside Remote Access server you need to configure RAS as a router. Make sure routing option is selected in server properties, check that IP Routing is selected in the IP tab of server properties. If you want to use NetBIOS name resolution without WINS, enable it on IP tab as well.
- When there are no remote access policies (all are deleted) and user is set to use remote access policy user access is denied.
[5.10] Configuring VPN
- VPN – virtual private network is a logical network that works on the physical layer that spans the internet
- VPN are used to securely connect users to a remote network or two remote network segments together
- There are two distinct VPN deployment environments:
- Basic remote access VPN, client PC connects to the VPN server. On the server remote access policy grants access to a global telecommuters security group (need to create one 1st) and Nas-port-type condition of Virtual VPN. On the client side the end user uses New Connection Wizard.
- Extranet also know as router to router VPN. Two networks are connected using VPN through servers that run R&R access. The authorization is based on demand dial interfaces not on individual users credentials. Each demand dial interface is configured with user name, password and domain. The user name has to be identical to the demand dial interface name of the other VPN server. The configuration of the access through remote access policy is as above. To allow functional useful extranet connectivity routing has to be established to direct traffic between remote network segments.
- When an user attempts connection through VPN as network administrator make sure the following conditions are meat:
- Make sure you have enough ports for the appropriate VPN type
- Make sure there are no conflicts between remote access policy and remote access server
- Verify that the client has appropriate permissions and he/she has same protocol as the server enabled, remote access server or RADIUS has to be member of RAS and IAS security groups
- The encryption strength has to be set the same across the board (remote access policy and remote access server)
- If MS-Chap is used user password has to be 14 characters or less
- For router to router VPN connections network administrator must make sure the following conditions are meat in addition to above:
- The routers have to be set as such on each connection end
- Make sure IP Routing is enabled and static routes are created
- By default 128 ports are created of each type if VPN server role is specified, each port enables a single connection. If server role of VPN is not specified, by default there are 5 ports of each type created (PPTP and L2TP). Windows Server 2003 supports 1000 VPN connections of each type, thus this is the maximum number of ports you can specify
- For routing RIP can be implemented with announcements exceeding default 30s interval, for dial-up connections autostatic routes are a better choice.
[5.11] PPTP and L2TP/IPSec
- PPTP connections are easier to setup and configure but they are considered to be less secure than L2TP connections, there is a price one pays for more security
- PPTP connections do not provide any proof that the data was not modified during transfer
- The only way to distinguish VPN connection is through the NAS-port type of “Virtual (VPN)”, you cannot distinguish between PPTP and L2TP
- PPTP VPNs are good when remote users cannot use certificates for connection establishment
- In L2TP/IPSec connections the L2TP protocol provides VPN tunneling while Encapsulation Security Protocol (ESP) a future of IPSec provides data encryption.
- L2TP connections need to authenticate both the user and the computer the user is using. Computer authentication is done first by the means of certificates whose purpose is for client authentication or for IPSec purpose.
- When both the server and client are Windows Server 2003 computers don’t have to use certificates, the authentication can be done using preshared key. This is less secure than certificates because they are passed over the network in plain text and is good for testing only.
- If EAP-TLS user authentication method is used certificates must be preinstalled on all clients and servers (if RADIUS is used)
- Administrator can disable L2TP/IPSec connections by setting the number of ports to 0, this cannot be done with PPTP connections
- PPTP uses MPPE for encryption, link between two network segments is treated as a PPP connection. PPP frame is encrypted and wrapped with Generic Routing Encapsulation (GRE) header.
- L2TP encryption is provided by Encapsulation Security Payload (ESP) protocol (which is a future of IPSec).
[5.12] Configuring IAS, Microsoft RADIUS
- Internet authentication service (IAS) is Microsoft’s implementation of RADIUS
- RADIUS is used to centralize remote access authentication, authorization and logging. RADIUS server uses RADIUS protocol for communication. The RADIUS protocol is open standard, thus there is no need to use Microsoft RADIUS solution.
- RADIUS server group is a group of RADIUS server which network access requests are balanced by RADIUS proxy
- RADIUS proxy can also be used to route requests to appropriate RADIUS servers based on realm name attribute of connection
- Administrator needs to configure Routing and Remote Access Server as a client to RADIUS server. This operation is done from properties dialog box security tab of Remote Access server console.
- To configure a RADIUS client open server properties from R&R access console and select the security tab. On the screen shown administrator can select RADIUS as Authentication and/or Accounting provider
- When administrator selects the role(s) RADIUS server is to take, he needs to configure it (by clicking the configure button) the following options are available on popup screen:
- Secret – plain text password
- Time-out – how long to wait for RADIUS server
- Initial Score – ordering for query priority of different RADIUS servers
- Port – default port is UDP 1812 for authentication and UDP 1813 for accounting
- Always Use Message Authenticator – MD5 hash of the RADIUS message with Secret as key, message without this will be discarded if option is enabled
- This is the interaction that exists between RADIUS and other servers and/or clients:
- When VPN, wireless, dial-up clients (all remote) connect to one of multiple network access servers (R&R access servers) they need to be authorized and authenticated.
- The network access server is configured to use RADIUS for that purpose, it connect to the RADIUS server using RADIUS protocol
- If the network is large and there are multiple RADIUS servers the network access server first connects to the RADIUS proxy server and asks it for correct RADIUS server based on realm name
- RADIUS proxy is used for load balancing as well as environments where there are multiple realms with distinct security settings
- To configure RADIUS on a PC, network administrator needs to do three things:
- Install IAS networking component
- Register IAS server in the AD
- From RADIUS console add new RADIUS clients
- Administrator needs to register IAS server in the AD, IAS server needs to be member of RAS and IAS security groups
- Administrator can migrate, restore and backup RADIUS server from command line using netsh and subcommand ‘aaaa’
[5.13] Other points
- AppleTalk routing is supported on Windows server 2003
- IPX routing was supported on Windows server 2000 but is no longer supported on Windows server 2003
- To list all running system service use tasklist /svc. User account needs to be granted ‘log on as service’ user right for services to be run in its context.
- To configure Remote Access Account lockout, system administrator needs to configure following registry setting:
- To turn remote access lockout set in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout maxDenails to 1 or greater
- To reset locked account: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
- To set up RAS client, the operator needs to use New Connection Wizard from the control panel
Part 6: Managing network infrastructure and security
[6.1] Network Security protocols
- Authentication: Kerberos and NTLM (for backward compatibility only)
- Authorization: Kerberos and NTLM
- Confidentiality: Encryption parts of Kerberos, IPSec and NTLM
- Integrity: Parts of Kerberos, IPSec and NTLM
- Non repudiation: Kerberos and IPSec (who sent and received the message)
[6.2] Using security templates
- Security Templates snap-in is by default linked to %systemroot%\security\templates folder. More templates are stored in %systemroot%\Inf folder, you can copy them to the security folder to view them with this snap-in.
- Administrator should create a master template for all PCs and server role based templates. It is a good practice to create rollback templates before applying new templates.
- These are default templates available with Windows Server 2003:
- Setup security.inf – default settings applied to current machine on installation
- Compatws.inf – used for backwards compatibility, so applications not certified for Windows XP can work (not for DC)
- Secure*.inf – implements recommended security in all areas except files,folders and registry keys
- Hisec*.inf – high security network communication, Windows XP can communicate only with other XP or 2000 computers (not Windows 95/98/Me due to DC – client communication problem)
- Rootsec.inf – new root permissions introduced in XP are going to be applied
- Notssid.inf – removes default permissions granted to terminal server SID
- DC security – default security settings for DC
- Iesacls – registry permissions and keys relevant to IE are applied, everyone group gets full control
- Securedc – limits account policies and applies LAN manager restrictions
- Defltsv – default server templates used during installation
- Defltdc – default DC template used during dcpromo execution
- For security template to take effect you need to apply them using Security configuration and analysis snap-in.
- Administrator can compare two templates and current security settings of a computer to a baseline template using Security Configuration and Analysis snap-in
- When applying templates the administrator must choose whatever to ‘clear the database’ if he does so only the settings in the template he is currently applying will be applied. If he doesn’t clear the database, one of three things can happen:
- If setting is defined in the new template but not the old one, new setting is applied
- If setting is defined in the old template but not the new one, setting stays as is
- If setting is both in new and old templates, new setting takes precedence over old one
- Secedit is a command line tool used to apply security templates, it is a command line version of Security configuration and analysis snap-in
- It is a part of good practice to never modify default templates, instead use copies of current templates in separate location and modify them
- Administrator can modify a security template by editing Inf files directly
- The IP Security and Public Key policies cannot be modified using a security template
[6.3] IPSec protocol
- IPSec is natively supported on Windows 2000/2003/XP, a legacy client is available for Windows NT4/Me/98
- IPSec can be used to encrypt traffic, allow traffic to leave or enter PC and block traffic from entering or leaving PC
- The IPSec protocol can be monitored, if IPSec service is started, using IP security monitor snap-in, in Windows 2000 command line utility ipsecmon.exe – has two modes of operation, quick and main
- IPSec policies are a set of filters that describe some network protocol action. Filters are organized into filter lists which are part of rules. Each rule defines filter action, which can be one of: Block, allow or negotiate security. IPSec policy can have many rules, but each rule can have only one filter action.
- IKE is the algorithm used to open first secure channel, master key is derived separately on each PC and never transported over the network
- Negotiation is the process of determining which IPSec mini-protocol will be used and what specifics are to be used, such as the key strength
- Offloading of IPSec encryption to NIC is supported for improved server performance
- Netsh is a command line tool that is used to modify and display local and remote network configuration. This is a tool that administrators can use for scripting. Its subcommand is ipsec, two modes are possible, dynamic and static. To show all IPSec settings use netsh ipsec static show all
- IP security monitor is used to monitor IPSec traffic, you can see traffic statistics according to many different counters
- Netcap.exe is a command line utility that is used to capture network traffic to a file. Administrator can run the utility on Windows XP and Network Monitor is not needed as preinstalled component.
- Routers will pass IPSec traffic through, but firewalls and packet filters need to be configured to allow IPSec to pass through them
[6.4] Kerberos protocol
- Kerberos protocol is used for authentication. Kerberos is superior to older NTLM protocol, it is preferred protocol in Windows 2000/XP/2003. It is explained RFC 1510.
- The time difference between server and client is called time skew, by default if the time difference is more than 5 min the authentication will fail (at this time NTLM authentication might be attempted). Client and DC computers synchronize their clocks only if the difference between them is less than 30 minutes.
- Port 88 UDP is used for Kerberos traffic, ticket granting ticket (TGT) is requested by client from the DC
- Kerberos service or user ticket is granted in order for the user to use a specific service. Tickets are cached and can be reused and renewed. If a ticket cannot be renewed, new ticket can be issued.
- TGT is stored in Kerberos ticket cache which can be analysed and viewed using kerbtray.exe found in the support tools
- To see a list of tickets that are in the cache you can use klist.exe found in the support tools
- Administrator can use netdiag utility to run network tests one of which is a kerberos test
- When kerberos is used for logon and administrator wants to see it logged in the event log, auditing must be enabled for logon event and account logon event.
- Network administrator is unable to turn the NTLM authentication off. For example, NTLM is still used when drivers are mapped by IP address instead of by computer name.
- Ksetup – command line tool used to configure Kerberos, used to: set up a realm entry, set up computer’s password in the kerberos realm and set up local account to kerberos account mappings
- Ktpass – command line tool used configure a non-Windows Server 2003 kerberos service as a security principal in AD
[6.5] Network performance monitoring
- The easiest tool to use is task manager’s networking tab
- If one cannot detect problems using task manager, there is always performance monitor with it networking related performance objects. Object include network interface, TCPv4, NBT connection, RAS Port, RAS total.
- Alerts are created when specific counter(s) go above or below a specific value. When an alert is triggered you can do one of the following:
- You can log alerts in application log
- Can send a network message
- Start performance data log
- Run a program
- Performance logs and alerts are used to perform long term analysis:
- Using the default Windows XP Pro data provider or another application provider, trace logs record detailed system application events when certain activities, such as a disk I/O operation occurs. When the event occurs, your OS logs the system data to a file. A parsing tool is required to interpret the trace log output, like Tracerpt
- When counter logs are in use, the service obtains data from the system when the update interval has elapsed, rather than waiting for a specific event.
- Remember that trace logs are event driven and Counter logs are update interval driven
- Netstat – this is command line tool used to monitor network connection
[6.6] Performance indicators
- Memory: pages faults/sec – data not found in CPU cache creates a fault, most processors can handle large amounts of soft page faults, compare with memory: pages/sec
- Available memory in bytes – need more if less than 10% available (could be an application memory leak)
- Memory: pages/sec – hard drive access to page file, a rate of 20 or more indicates a need for more RAM
- Page file percent close to 100, need more space on file or more RAM
- Physical disk: percentage disk time above 70% – is too high, if paging file usage is excessive as well it indicates more RAM is needed otherwise a disk is the bottleneck
- Physical disk average queue length above 2 – check paging file and physical memory
- Physical disk current queue length – a value above 2 indicates a problem
- CPU close to 100% – need more CPU power if situation continues for excessive amounts of time
- Number of open files indicates how busy the server is, compare to baseline
- Server: bytes total/sec – indicates network throughput
- Baselining is the process of determining average/normal system performance. Should be done over a period of 3 to 4 weeks using counter logs.
[6.7] SUS – software update service
- SUS – software update service, can distribute updates (need to be approved by the admin before distribution occurs) to clients.
- Minimum requirements for the clients to connect to SUS are Windows XP SP1, or Win2k SP3 or later.
- SUS server is really just a webpage with ActiveX functionality that piggybacks on top of IIS.
- In order for SUS to work you need to point client computers to SUS server using GPO
- You need to install SUS10SP1.exe on the server
- Server computer must be running at least version 5 of IIS
- SUS virtual administrative directory http://yourservername/SUSadmin
- SUS needs NTFS with at least 100Mb to install package and 6Gb for storing updates, SUS runs from the ‘default website’ and stores all data there
- SUS notification is shown for Administrators only
- If you have P III 700, 512Mb RAM SUS server can handle up to 15000 clients
- SUS server is not set to synchronize with Windows update site by default, administrator must do that or manually synchronize
[6.8] Other points
- Runas is also known as secondary logon, you need to have Secondary Logon service running to use it. This command line utility is used to run programs within different user’s security context. For example, network administrator is logged on as a regular user and needs to run system utility that requires administrative privileges. Instead of logging out and back in as an administrator, the user could use runas command which uses the following syntax: runas /user:ComputerName\UserName “program name”
- Microsoft Operations Manager (MOM) can be used to archive security logs
- Services dependency can be shown using GUI program called dependency walker, depends.exe
- Things that should be audited: Audit both success and failure events in the systems event category. Audit success events in the Policy Change event category for all DC, audit success events in the Account Management event category, audit success events in the Logon event category and audit success events in the account logon event category on DC.