MCSA-MCSE_2003_70-291
-
Upload
mahesh-reddy -
Category
Documents
-
view
215 -
download
0
Transcript of MCSA-MCSE_2003_70-291
-
7/31/2019 MCSA-MCSE_2003_70-291
1/39
1
http://www.tomkitta.com/guides/70-270.cfm
-
7/31/2019 MCSA-MCSE_2003_70-291
2/39
2
http://www.tomkitta.com/guides/70-270.cfm
Microsoft exam 70-291 preparation guide
Contents:
Part 1: Understanding Windows networks and TCP/IP
Part 2: Troubleshooting and monitoring TCP/IP
Part 3: Implementing, configuring and troubleshooting DNS serversPart 4: Implementing, configuring and troubleshooting DHCP servers
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows
networks
Part 6: Managing network infrastructure and security
Preface
I have written this short preparation guide as a way for myself to ease studying for the Microsoft
70-291 exam titled: "Implementing, managing and maintaining a Microsoft Windows Server 2003
network infrastructure". I provide this guide as is, without any guarantees, explicit or implied, asto its contents. You may use the information contained herein in your computer career, however I
take no responsibility for any damages you may incur as a result of following this guide. You may
use this document freely and share it with anybody as long as you provide the whole document in
one piece and do not charge any money for it. If you find any mistakes, please feel free to inform
me about them Tom Kitta. Legal stuff aside, let us start.
Guide version 0.006 last updated on 17/06/2004
Part 1: Understanding Windows networks and TCP/IP
[1.1] Basic networking definitions
Network infrastructure - set of physical and logical components that allow for, amongother futures, security, management and connectivity
Physical infrastructure - is also known as network's topology, the physical layout ofhardware components and the type of hardware as well as the technology used with
hardware for data transmission.
Logical infrastructure - is the software that allows for communication over physicalinfrastructure, it includes services that run on the network like DNS
Network connection - is a logical interface between software and hardware layers Network protocol - is the language used for communication between networked
computers
Network service - is a program that provides features to hosts or protocols on the network Network client - is a program that allows a computer to connect to a network operating
system
Addressing - is the practice of maintaining a coherent system of addresses withinorganization's network that allow all computer to communicate
Name resolution - is the process of translating a computer name into an address and theother way around
Workgroup - is a simple grouping of resources which by default uses NetBIOS namingsystem. NetBIOS is used together with Common Internet File System (CIFS), an extension
of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized
-
7/31/2019 MCSA-MCSE_2003_70-291
3/39
3
http://www.tomkitta.com/guides/70-270.cfm
security in a workgroup environment. The default workgroup name is WORKGROUP. In the
absence of a WINS server the NetBIOS names are resolved using broadcasts to local
network segment.
Domain - is a collection of computers that share a common directory, security policies andrelationships with other domains. The name 'domain' is used both by grouping of
computers in AD and as names in DNS, they are different things.
Active directory - is a distributed database that provides directory service Remote access - is a connection that is configured for users that want to access resources
from non-local site. There are two types, VPN and dial-up.
Network Address Translation (NAT) - is the system which allows computers with privateaddresses to communicate with computers on the internet
NWLink - Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks Certificate - is used for public key cryptography NetBT - NetBIOS over TCP/IP, provides for higher level communications such as SMB
(Server Message Blocks) and CIFS
CIFS - an extension of the SMB protocol that is used with basic file sharing. One of theadvantages of CIFS over SMB is the ability to operate directly over DNS without the use ofNetBIOS.
TCP/IP - most popular, scalable, routable and based on open standards protocol. Redirector - client component that decides whatever the request is to be serviced locally
or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses
SMB/CIFS for communication.
[1.2] Network connection
Components that make up a connection: network clients, services and protocols Connections by themselves don't provide communication, it occurs through components
bound to the connection
Client for Microsoft Networks is by default bound to all local area connections, it allowsclient computers to perform CIFS related tasks
TCP/IP protocol is bound to all connections by default File and printer sharing for Microsoft Windows is installed and bound to all connections
by default
Advanced connection settings allow administrator to change the priority of eachconnection
Provider order tab in advanced settings dialog box allows administrator to change thenetwork providers order. This setting is for all connections. By default, Microsoft Terminal
Services is given priority over the Microsoft Network because Terminal Services are meant
to be used in place of all other connections.
In the provider tab one also finds print provider order, by default LanMan Print Services isgiven priority over HTTP Print Services
[1.3] Default TCP/IP Settings, APIPA
APIPA stands for automatic private IP addressing By default the IP address and DNS servers are to be obtained automatically from the DHCP
server
If the computer cannot get address automatically it uses APIPA to assign itself one
-
7/31/2019 MCSA-MCSE_2003_70-291
4/39
4
http://www.tomkitta.com/guides/70-270.cfm
APIPA assigns PC address from the range 169.254.0.1 to 169.254.255.254, in use sinceWindows 98
Administrators can combine APIPA with alternate configuration, when IP can be obtainedfrom DHCP, APIPA turns itself off - no one can override DHCP obtained address with APIPA
To disable APIPA administrator can either configure alternative IP address or edit registrykey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot
An all zero address might indicate that the IP has been released and never renewed When a computer fails to obtain APIPA address in the absence of DHCP server and static
address, the administrator should look for a hardware problem
[1.4] Management and monitoring tools
Connection Manager - allows creation of customized remote access connections Connection Point Services - Phone Book Service that needs IIS Network Monitor - pocket analyzer SNMP - Simple network management protocol, agents that monitor activity in network
devices and report to network management console. For use with both Windows and
UNIX, works with almost any network device.
WMI SNMP Provider - lets client applications to access static and dynamic SNMPinformation through WMI
[1.5] TCP/IP model
The TCP/IP model is the newer networking model, OSI Open System Interconnectionmodel is an older model
Network interface - is the layer in the communications process that describes standardsfor physical media, for example ethernet. In OSI model it is both Physical layer and Data
link layer.
Internet - is the layer in the communications process during which information ispackaged, addressed and routed to other network destinations. ARP is used for address
resolution, IP for addressing and routing data and ICMP for reporting errors and
exchanging limited control/status information. In OSI model this layer is called the
Network layer.
Transport - is the layer in the communications process during which the standards of datatransport are determined. TCP protocol with its guarantees of delivery and connectionless
unguaranteed but fast UDP protocol. This layer has the same name in the OSI model. Application - is the layer in the communications process during which end user data is
changed, packaged and sent to and from transport layer, for example telnet. In OSI we
have three layers, Session, Presentation and Application.
[1.6] OSI model
OSI stands for Open System Interconnection model, it is an older networking model 7 Application layer 6 Presentation layer 5 Session layer 4 Transport layer 3 Network layer
-
7/31/2019 MCSA-MCSE_2003_70-291
5/39
5
http://www.tomkitta.com/guides/70-270.cfm
2 Data link layer 1 Physical layer Layers 7, 6, and 5 correspond to Application layer in TCP/IP model Layer 4 correspond to Transport layer in TCP/IP model Layer 3 corresponds to Internet layer in TCP/IP model Layer 2 and 1 correspond to Network Interface layer in TCP/IP model Protocols that were not originally part of the TCP/IP specifications are referred not by
position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5)
protocol.
[1.7] Protocols, their port numbers and layers in TCP/IP model they are in
Protocol number - is used to define a stream of data associated with a specific service The transport is provided by TCP and UDP protocols Internet layer protocols are ARP, IP and ICMP HTTP - hypertext transfer protocol TCP port 80 (application layer) SSL - Secure socket layers TCP port 443 SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot SNMP - simple network management protocol used to provide information about TCP/IP
hosts, UDP port 161.
FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Filesstored in LocalDrive:\Inetpub\Ftproot (application layer)
POP - TCP port 110 DNS - UDP port 53 (query) TCP port 53 (zone transfer) NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root PPTP - Point to point tunneling protocol TCP port 1723; protocol number 47 L2TP/IPSec - UDP ports 500, 1701 and 4500; protocol number 50 ARP, ICMP and IP (internet layer)
[1.8] IP addressing
Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IPaddress space
IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP Private addresses are in ranges 10.0.0.0 - 10.255.255.254, 172.16.0.0 - 172.31.255.254,
192.168.0.0 - 192.168.255.254
IP addresses are just a representation of a 32 bit number broken into 8 bit parts for easeof visualization by the administrator
IP address is made up of two parts, network address and host address. Network prefix isthe number of bits in network id.
IP class assignmentso Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0o Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0o Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0o Class D 224-239.x.x.x, reserved for multicast addressingo Class E 240-254.x.x.x, reserved for experimental use
Subnet mask is used to determine whatever the packet is destined for the current networkor not. It does that by masking the network part of the IP address. The PC proceeds byfinding his own network address using his IP and subnet mask in a bitwise AND operation.
-
7/31/2019 MCSA-MCSE_2003_70-291
6/39
6
http://www.tomkitta.com/guides/70-270.cfm
Then the PC does a bitwise AND operation on the destination IP and his subnet mask to
determine foreign network address. If the addresses match then the packet is to travel on
the local network, if they don't then the packet is destined to a foreign address.
CIDR - this is a shorthand notation for a subnet mask, classless interdomain routingnotation. It counts the number of 1's in the subnet masks binary representation and is
displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is
255.255.255.0 since we have 24 1's in the subnet mask. It is not compatible with RIP v.1. Itis the name administrators commonly refer to when talking about supernetting since CIDR
is used to shorten routing tables.
Default gateway is the IP address of a routing device that accepts packets destined toother networks. Other networks are subnets that are not within the broadcast range of the
PC that contacts default gateway (itself it is within broadcast range).
Follow these simple steps to spot an IP address that is invalid:o Host without a subnet masko No unique network ID (per WAN) or no unique host name per LANo Neither network ID nor host ID can be all 1 (since that is the broadcast address)
[1.9] Subnetting and supernetting IP networks
Subnetting - occurs when one needs to divide default A,B or C class address space intosmaller spaces. The logical division is accomplished by extending the string of 1's in the
subnet mask.
Subnetting is used for: accommodating security needs, physical topology, limitation ofbroadcasting
Number of hosts on a subnet = 2^(32-subnets # of 1's)-2. We subtract 2 since one addressis needed for network ID and one for network broadcast
Host ID with all 0's is the network ID and host ID with all 1's is broadcast address Supernetting - occurs when one wants to combine default A, B or C class address spaces
into one large space. This method allows for more efficient allocation of network address
space.
In supernetting's major difference from subnetting is the removal of 1's from the networkaddress. Thus one might have /23 /22 /21 /20 supernet masks.
Conversion from binary to decimal and back is based on the power each system uses, 2 forbinary 10 for decimal and so on. The position of a digit in a number, starting from zero,
determines to which power the base is raised. The value of the digit is the number by
which the base to the power is multiplied by. Sum all the digits to get the number in
decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To
minimize errors it is best to use a calculator.
Variable length subnet masks (VLSMs) - allow for subnets to be subnetted themselvesmaking the use in large organizations of network address space more efficient. They allow
administrators to create subnets of varying sizes.
Classless Inter-Domain Routing (CIDR - defined in RFC 1519) using variable length subnetmasks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow
for the accelerating expansion of the Internet.
VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with oldrouting protocols like RIP 1
[1.10] Other points
-
7/31/2019 MCSA-MCSE_2003_70-291
7/39
7
http://www.tomkitta.com/guides/70-270.cfm
Administrator can install on a computer file and print services for Macintosh but only printservices for Unix
TCP/IP is installed by default by Windows setup The following are installed as part of simple TCP/IP services: Character Generator,
Daytime, Discard, Echo, Quote of the day
The MAC address cache on a computer can be cleared manually (it refreshes itself every 2minutes) by issuing arp -d command
Most computers on the network use DHCP for addressing as it produces less human errorthan static addressing. Static addressing is used by servers.
Part 2: Troubleshooting and monitoring TCP/IP
[2.1] Analyzing traffic using network monitor
Frame is an encapsulation of network interface layer (layer 2) data. Each frame containssource and destination computer addresses, header of the protocol used to send data and
data itself.
Packet is an encapsulation of internet layer (layer 3) data There are two versions of Network Monitor, the basic version ships with Windows Server
2003. Network administrator needs to purchase the advanced version from Microsoft.
Advanced version can capture data from all devices on a network provided the
administrator used hubs not more common switches.
Network Monitor is made up of two components, administrative tool called NetworkMonitor and an agent called Network Monitor Driver
Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in thesame manner as one installs a new protocol
The monitor can be used to find NIC's MAC address, computers GUID and many otheruseful information
Parsing is the process of reading, analyzing and describing the contents of frames.Administrator can add new parsers to network monitor by adding parser dll files into
%systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in
%systemroot%\system32\Netmon folder. By default network monitor supports over 90
protocols.
[2.2] Problems with TCP/IP connections
Network diagnostics is a graphical tool that administrator can access from help andsupport tools menu. Users can save output to a file for examination by networkadministrator.
Netdiag is a command line tool that is used to run different network tests. Administratorneeds to install the tool first from the Windows CD, the support tools file is called
suptools.msi.
Tracert - shows the path a packet takes to reach given destination, this is done by settingdifferent TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells
administrator when connectivity stops.
Pathping - as tracert but shows the path that a packet takes to reach a given destination,however it also shows detailed analysis of traffic. Used to troubleshoot erratic network
behaviour such as packets being delayed, where tracert is used for network connectivity.
-
7/31/2019 MCSA-MCSE_2003_70-291
8/39
8
http://www.tomkitta.com/guides/70-270.cfm
Arp - used to show the Arp cache on the PC. Sometimes local network computers can havewrong MAC addresses of each other cached and thus cannot communicate, use arp to
check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is
used to check hardware address mappings, if it checks out look for hardware problem
If the administrator is able to ping loopback address, PC own address and the localgateway but no other PCs the problem is most likely with arp cache being corrupted.
Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remotehost by name.
Part 3: Implementing, configuring and troubleshooting DNS servers
[3.1] Differences between DNS and NetBIOS
NetBIOS (Network Basic Input Output System) is not a naming system, it is an API thatprovides naming and name resolution services
DNS is the preferred name resolution system in Windows, but it needs configuration unlikeNetBIOS
NetBIOS is used for browsing Microsoft Windows Network through My Network Places andconnecting to shares using UNC paths (File and Print for Microsoft Networks)
NetBIOS name space is flat, while DNS is hierarchical NetBIOS name - used to identify a NetBIOS service that is listening on the first IP that is
bound to the adapter
Maximum computer name length in NetBIOS is 15 bytes (characters) while in DNS hostname can be up to 63 bytes and FQDN up to 255. When the computer name is longer than
15 characters then the NetBIOS name is the computer name's first 15 characters.
To view NetBIOS PC name go to system properties, network identification, properties andmore button
Host name - the first label of a FQDN, it is just about any network interface with an IPbound to it
Primary DNS suffix - also known as primary domain name or the domain name, specifiedon the computer name tab
FQDN - DNS name that uniquely identifies the computer on the network. It isconcatenation of the host name, primary DNS suffix and a period. The full computer name
is a type of FQDN, the same computer can be identified by more than one FQDN but only
the FQDN that concatenates the host name and primary DNS suffix represents the full
computer name.
NetBIOS resolves names through WINS server, Local NetBIOS cache, NetBIOS broadcast,LMHOSTS file
DNS resolves names through DNS server or Hosts file (which is part of client cache). Entriesadded to the hosts file are immediately loaded into resolver cache.
Both LMhosts and hosts files are located in %systemroot%\system32\drivers\etc folder Nbtstat is used to interact with NetBIOS from command line, -c switch lists local cache
contents, -R purges the cache, view cache, use nbstat -n
DNS is required for Windows 2000/2003 domains (AD) and internet NetBIOS is needed by older Windows operating systems, workgroups in Windows
95/98/Me/NT
NetBIOS is enabled by default for all local area connections, administrator can disableNetBIOS to increase security from TCP/IP properties screen, but users will no longer beable to use computer browser service
-
7/31/2019 MCSA-MCSE_2003_70-291
9/39
9
http://www.tomkitta.com/guides/70-270.cfm
Windows Server 2003 client computer always tries to resolve names using DNS beforeNetBIOS
[3.2] DNS as part of Windows Network
DNS is a hierarchical system based on a tree structure called DNS namespace Each DNS namespace has to have a root that can have unlimited number of subdomains.
The root is an empty string
Every node in the DNS namespace has a specific address by which it can be identified,called a FQDN
The dot is the standard separator between domain lables. The dot also separates the rootfrom the subdomains, but is usually omitted by end-user and automatically added by DNS
client service during a query.
On the internet the DNS root and top-level domains are under control of InternetCorporation for Assigned Names and Numbers (ICANN)
There are three types of internet top-level domains, organizational, geographical andreverse (in-addr.arpa)
DNS server can be authorized for one or more zones which contain one or more domains.Server is said to be authorized for a zone if it hosts the zone as primary or secondary
server.
When client or DNS service are stopped, their caches are cleared DNS client is installed by default, server component is not A forwarder is a DNS server that is used to resolve queries external to the server using it A conditional forwarder is a DNS server that examines the domain name of the query and
forwards it (the query) to specific server based on name asked in the query. All forwarder
options are set from the forwarders tab on the DNS server properties dialog box.
[3.3] DNS components
DNS zone is a portion of a DNS namespace for which DNS server is authorative. A servercan be authorative for one or more zones and each zone can contain one or more
domains. Zone files store resource records, they are usually text files but on Windows
2000/2003 administrators have an option of active directory integrated zones.
DNS resolver is a service that uses DNS protocol to query for information from DNSservers. On Windows 2003 this is done by DNS Client Service
The third component is the DNS server itself. Above breakdown hold for any DNSimplementation.
[3.4] DNS server query process
Each query message contains the following information:o DNS domain name as FQDNo Query type, resource record by type or specialized type of query operationo Specified class for the DNS domain name
When user wants to resolve an address the first place DNS client service looks in is user'scomputer local cache and hosts file
-
7/31/2019 MCSA-MCSE_2003_70-291
10/39
10
http://www.tomkitta.com/guides/70-270.cfm
If local resources don't resolve the name, DNS client uses server search list to querypreferred DNS server, if it is unavailable alternate DNS servers are used according to their
positioning on the server preference list
The DNS server after receiving a query first checks to see whatever it is authorative for thedomain in question, if it is not, it checks local cache for already performed queries. If that
doesn't resolve as well, a recursive query is performed.
For recursive queries DNS server needs to be configured with Root Hints, which by defaultare stored in file cache.dns in %systemroot%\system32\dns folder
Server asks the appropriate root server for an address of more knowledgeable server, thenit asks that server etc. till it gets the answer. It is like walking the namespace tree.
The most common responses to the client are: An authorative answer, a positive answer,referral answer and negative answer.
If recursion is disabled on the server it will send a referral answer back to the client. Theclient will need to perform iteration (repeated query to different DNS servers - DNS tree
walk) to get the answer it seeks.
After a query client gets a positive answer it is frequently authorative the first time around,while consecutive answers are non-authorative. This is due to DNS server caching of theoriginal query.
Reverse query - is performed by taking an ip address in the form a.b.c.d and presentingquery to the DNS server in the form d.c.b.a.in-addr.arpa. ARPA stands for Advanced
Research Projects Agency. Due to lack of vision the first DNS implementation didn't
support reverse queries, PTR records are just pointers to A records.
[3.5] DNS client query process timeout
DNS client sends a query to preferred DNS server and waits for 1 second for response If no response is received the client sends a query to the first server on all adapters and
waits for 2 seconds
If there is still no response, client sends a query to all DNS servers on all adapters and waitsfor 2 seconds
If no response continues client sends query to all servers again and waits for 4 seconds,then again and waits for 8 seconds
If after performing all of above steps client didn't get any response, it returns time out tothe calling process
[3.6] Configuring DNS server
Network administrator can create two types of zones, forward or reverse lookup. Inforward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. In
reverse lookup zone the IP address is mapped to FQDN
There are three types of DNS server roles with respect to a zone (i.e. we look at the zoneand if our server is primary for that zone we say we have DNS server in primary role,
however the same server can be secondary for a different zone (call it B) as well, in which
case it is said to be in secondary role for zone B):
o Primary - provides original data, can be updatedo Secondary - provides a copy of original data, cannot be updatedo Stub - copy of a zone containing only those resources records necessary to identify
the authorative DNS server for the master zone, enables parent zone to keepupdated list of name servers in the child zone
-
7/31/2019 MCSA-MCSE_2003_70-291
11/39
11
http://www.tomkitta.com/guides/70-270.cfm
o Caching only - no zones at all stored on the server When administrator wants to decrease the amount of name resolution traffic while
avoiding zone transfer traffic install caching only server
When DNS server is installed it is automatically configured to act as a caching only server When a zone is created it automatically has in it SOA and NS records To view the contents of the DNS server cache administrator needs to select 'Advanced'
from view menu In the resource record file lines that are blank or start with ; (semi-colon) are ignored by
the DNS server
Master server is the server from which secondary server got zone information (can be aprimary server or another secondary server)
When DNS server zone data is stored in AD (AD integrated) all DNS servers become peers In non-Microsoft implementations of DNS server the secondary zone is also known as the
slave zone, while the primary zone is also known as the master zone
[3.7] Resource records
Resource records have the following syntax: Owner TTL Class Type RDATA Owner - the name of the host or the DNS domain to which this resource record belongs Time to live (TTL) - A 32 bit integer representation of the time the record should be cached Class - protocol family in use, optional field, IN (internet class) for Windows based DNS
service
Type - for example A or TXT RDATA - this is where actual resource record data is stored
[3.8] Basic resource record types
Host (A) - most common record type, used to associate computers to IP addresses.Administrator can add them manually, they can be added by DHCP Client service, updated
by proxy for older Windows OS and DHCP on Windows Server 2003.
Alias (CNAME) - also known as canonical names. These records allow computers to use analternative name to point to a host. They are quite often abused. They are recommended
for use when a generic service such as ftp needs to resolve to a group of computers or
when renaming a host.
MX - these are mail exchange records and they point to a mail servers for a given domain,more than one are used for fault tolerance (if the company can afford extra hardware and
software needed)
PTR - pointer records are used to perform reverse lookup. Reverse lookups are performedin the zones with root in-addr.arpa. Same methods of creation as an A record - they are
opposite of each other.
SRV - service locator records are used to specify location of services in a domain. WindowsServer 2003 AD uses SRV records, all the records needed by AD can be found in
Netlogon.dns in %systemroot\System32\Config folder, if the records need fixing use
netdiag /fix.
NS - name server record is used to indicate which DNS server(s) are designated asauthoritative for the zone. Any server specified in the NS record is considered an
authoritative source by other servers for given zone. It is able to answer with certainty any
queries made for names included in the zone.
-
7/31/2019 MCSA-MCSE_2003_70-291
12/39
12
http://www.tomkitta.com/guides/70-270.cfm
SOA - start of authority indicates the name of origin for the zone and contains the name ofthe server that is the primary source for information about the zone. It also indicates other
basic properties of the zone like the primary DNS server, responsible person, serial
number, refresh interval, retry interval, expire interval and TTL. SOA record is always the
first record in any standard zone.
[3.9] Configuring client computers for use of DNS
In order to configure DNS on a client system an administrator needs to do three things:o Administrator needs to set host name for each computer that is going to use DNS,
it can have up to 63 bytes (for NetBIOS compatibility up to 15 bytes (characters))
and can only contain letters numbers and '-', it is not case sensitive
o Administrator also needs to set primary DNS suffix for each computer, the suffixtogether with the host name forms a FQDN, it is selected from the system
properties -> computer name -> change button -> More, by default it is the same as
the AD name in which the PC resides
o Finally, administrator need to write a list of DNS servers that the client is to use inorder, starting with preferred DNS server
Administrator may configure connection specific DNS suffix for each adapter on the DNSclient PC, this is done from Advanced TCP/IP settings dialog box, it gives to different FQDN
to the same computer so it can communicate on different subnet in addition to its full DNS
computer name. For each FQDN and for computer name an A and PTR records are created
in appropriate zones and DNS servers.
If network administrator configures DNS suffix search list then the computer will be able toresolve single-label unqualified names and multiple label unqualified names. By default,
the search is performed using primary domain suffix and, if applicable, connection specific
suffixes.
The ipconfig /displaydns command shows DNS cache on client, ipconfig /flushdns clearsDNS cache
When a query is submitted with an unqualified name the client service by default adds toit the primary DNS suffix and checks the query. If that doesn't work the client adds
connection specific DNS suffixes and retries. If there is still no positive response, client
adds the parent suffix of the primary DNS suffix to the name and does the final check.
If the administrator is only able to ping the user computer by IP (from another PC), he cantry to use ipconfig /registerdns on Windows XP/2000/2003
[3.10] Updating of client records in the DNS
Windows server 2000/2003 and BIND 8.1.2 or later can accept dynamic updates of A andPTR records performed by clients or on behalf of clients by DHCP server.
By default, clients with static IP address attempt to update both A and PTR records for allIPs. Registration is based on domain membership settings.
Windows 2000/XP/2003 computers with dynamic address (assigned by DHCP) attemptonly to update their A records (PTR left for DHCP server to update if needed). The clientcontacts the server every 24h to update the mapping unless one of the following occurs:
o Computer name changes
-
7/31/2019 MCSA-MCSE_2003_70-291
13/39
13
http://www.tomkitta.com/guides/70-270.cfm
o Member computer is promoted to the role of DCo One of the commands listed is used: ipconfig /release, ipconfig /renew, ipconfig
/registerdns
o When the local IP address changes, including IP address lease from the DHCP server Computers with operating system earlier than Windows 2000 (i.e. 95/98/Me) that use
dynamic address have the DHCP server do all the work (both A and PTR records due to
client unaware of dynamic update functionality). User can force registration by client usingipconfig /registerdns
[3.11] DNS server properties
Interfaces - which IP addresses should server computer listen for requests, by default all IPaddresses
Forwarders - allows for setting up upstream DNS servers that current DNS server willforward queries to. The process of forwarding selected queries is called conditional
forwarding. This tab allows the administrator to disable recursion (on per domain basis) on
queries that have been sent to forwarder (by default if forwarder fails to resolve local
server tries to resolve using recursion). When DNS server A has forwarder server B set and
server A has disabled recursion then server A is called a slave server since it is totally
dependent on server B (forwarder) for queries it cannot resolve locally. The default
timeout for forwarded query is 5 seconds.
Advanced tab - allows enabling and disabling of special futures. If administrator disablesrecursion then it is disabled for all queries and forwarders are disabled as well.
Root hints - this tab contains copy of information found in%systemroot%\system32\dns\cache.dns file. The list of root servers rarely changes,
network administrators can get the latest file one from
ftp://rs.internic.net/domain/named.cache. Administrator should delete this file if the DNS
server is a root server, in which case this screen is disabled.
Debug logging - allows network administrator to troubleshoot his DNS server by loggingselected incoming and outgoing pockets. Debug logging in processor and resource
intensive operation.
Event logging - allows network administrator to restrict the events written to the DNSevent log
Monitoring - basic functionality tests (2) are performed here. The first test is reverse querytargeted at self, the second test does reverse query targeted at root DNS server.
Administrators are allowed to schedule these tests to be performed between certain time
intervals.
Security - this tab is available only if the DNS server is also a domain controller and allowsone to set the settings for the users that are given permission to view edit and set DNS
zones data.
[3.12] Configuring Zone properties
General tab - used to configure zone type, zone file name, dynamic updates and aging.Administrators can pause name resolution for a zone. AD integrated zones have replication
settings enabled, administrator can select to which servers DNS replication data is beingsent. There are three dynamic update settings for AD integrated zones, none, non-secure
-
7/31/2019 MCSA-MCSE_2003_70-291
14/39
14
http://www.tomkitta.com/guides/70-270.cfm
and secure. Aging is the process of placing a time stamp on a dynamically registered
resource record and then tracking record age. Scavenging is the process of deleting
outdated records. When aging and scavenging are enabled then the zone files are not
compatible with Windows DNS servers that are not at least Windows 2000.
Start of authority (SOA) tab - administrator can set a serial number which acts as arevision number, this is used to synchronize zone transfers. Primary server box contains
the full name of the server, it must end with a period. Responsible person is the domainmailbox name for the responsible person, should always end with a period. Refresh
interval is the amount of time the secondary server will wait before checking the master
server for an updated copy of the zone, by default it is 15 minutes. Retry interval is the
amount of time, default 10min secondary server waits before re-trying zone transfer.
Expires after is the amount of time secondary server without contact with master server
continues to answer queries, default is 1 day after that data is unreliable. Minimum
(default) TTL this is the time to live applied to all resource records in the zone, default is 1
hour. TTL for this record is the TTL for the SOA resource record, overrides general TTL
setting above this box.
Name Servers tab - this tab allows administrator to create NS resource records, they canbe created only here (unless manually created). Every zone must contain at least one NS
record. In Windows Server 2003 for primary zones the zone transfer is allowed by default
only to the servers specified in the Name Servers tab.
Security tab - ACL that defines who can manage and modify zone file data. WINS tab - used to configure WINS servers to aid in name resolution. When administrator
configures WINS, a WINS resource record is added to the zone database. If WINS and DNS
servers are set for forward and reveres zones, then data is added to both forward and
reveres zones.
Zone transfer tab - allows the system administrator to restrict the servers to which zonedata will be transferred. Primary servers have zone transfers either disabled or limited to
the NS tab servers. Administrator can also specify the servers they want data to be
transferred to by IP address. Secondary servers by default don't allow zone transfers, need
to enable them 1st. The 'to any server' setting was enabled on Windows 2000, but was a
huge security hole. Administrator can also notify the secondary servers of a zone file
change, notification is enabled by default. There is no need for notification in AD
integrated zones. If the server to which DNS data is to be transferred has multiple IP
addresses on the same subnet, then they all have to be included for transfers to be
successful.
[3.13] Configuring Zone properties - AD integration
Application directory - is replicated among DC, applicable to DNS application directoriesare DomainDnsZones and ForestDnsZones. The name of each application directory is the
previous name concatenated with the FQDN, for example DomainDnsZone.microsoft.com.
The domain application directory is replicated to domain servers, forest application
directory is replicated to all servers in the forest. Administrator can add new application
directories for the use of DNS server using dnscmd [server] /createdirectorypartition [full
partition name (FQDN)] to enlist other DNS servers in the partition, administrator needs to
issue command dnscmd [server] /enlistdirectorypartition [full partition name (FQDN)]
There are no application directories on Windows 2000 (this is new to Windows 2003) To
work with application directories administrator needs to be a member of the enterpriseadministrators security group.
-
7/31/2019 MCSA-MCSE_2003_70-291
15/39
15
http://www.tomkitta.com/guides/70-270.cfm
There are four options for zone data replication when the administrator chooses to useAD-integrated zones. On the general tab of zone properties a button is available to change
zone replication scope when the zone is AD-integrated. Zone data can be replicated
o To all DNS servers in the AD forest - broad scope of replicationo To all DNS servers in the AD domaino To all DC in AD domain [domain here] - select if Windows 2000 DNS servers are to
load AD zoneo To all DC specified in the scope of the following application directory - replicates as
the application directory specified, if zone is to be stored in specified application
directory partition the DNS server hosting the zone must enlist in the application
directory partition that contains that zone.
Secure dynamic updates can be performed only in AD-integrated zones, they use Kerberosfor security. Only computers that have Windows XP/2000/2003 are capable of secure
updates.
DnsUpdateProxy group - used to solve a problem that occurs with secure dynamicupdates. The computer that registered the record becomes its owner and it is the only PC
that can update it. Thus, for example if DHCP server registers A record for a PC, it becomesits owner, not the PC to which A record points. When DHCP server is a member of
DnsUpdateProxy group it is prevented from taking the ownership of the record - secure
less entry exists till the real owner takes its ownership.
Only primary zones can be AD-integrated. Secondary zones are always stored as text files,there are no AD-integrated secondary zones since AD-integration makes all servers into
peers.
[3.14] Advanced DNS server properties
Disable recursion - DNS server uses recursion to resolve client queries if the disableddefault state is left as is. When the option is enabled the DNS server does not answer the
query for the client but instead provides the client with referrals. When recursion is
disabled the DNS server will not be able to use forwarders.
BIND Secondaries - DNS server does not use fast transfer format when performing a zonetransfer to a secondary server based on BIND. This allows for a compatibility with older
versions of BIND, versions 4.9.4 and later support fast zone transfer and this option should
be disabled for these. The fast transfer format is efficient, it allows data compression and
multiple record transfer per TCP message, it is always used among Windows based DNS
servers. This option is enabled by default.
Fail on Load if Bad Zone Data - when this option is disabled (default setting) the DNSserver will load zone even if errors are found in the database file. Any errors that occur will
be logged. When option is enabled damaged zone database does stop load operation dead
cold.
Enable netmask ordering - when selected (default setting) this option makes sure thatwhen a client query matches multiple A records the one in client's subnet is returned first
in a response list that contains all matching records. This option is also sometimes referred
to as LocalNetPriority option (this comes from same referral in dnscmd utility).
Enable round robin - this setting (enabled by default) ensures that for a query thatmatches multiple A records the first entries in the returned response list rotate. This
method is used as a poor man's network load balancing. Local subnet priority is taken into
consideration before round robin is. When round robin is disabled records are returned inthe order they are in the zone file.
-
7/31/2019 MCSA-MCSE_2003_70-291
16/39
16
http://www.tomkitta.com/guides/70-270.cfm
Secure cache against pollution - this setting (enabled by default) prevents the DNS serverform accepting referrals that might be polluting its cache or be insecure. The server will
cache only these records that have a name that corresponds to the domain for which the
original queried name was made, any other are discarded.
Name checking - the default setting of Multibyte (UTF8) ensures that the DNS serververifies that all domain names confirm to the Unicode Transformation Format (UTF). Use
strict RFC if the server cannot work with UTF, other two options are only for specialcircumstances (they are: all names and non-RFC).
Load zone data on startup - specifies from where initial zone data is to be loaded from, bydefault it is from active directory and registry. Another storage option is to use the registry
or a file. The file is from BIND based DNS servers and is usually named Named.boot in
older BIND 4 format (not BIND 8).
Enable automatic scavenging of stale records - this option is disabled by default, whenenabled DNS server will perform scavenging of stale records automatically in pre-defined
time intervals.
[3.15] Creating zone delegations
When administrator delegates a zone he assigns a portion of authority over main DNSnamespace to subdomains within main namespace. The responsibility is passed from the
parent domain to the subdomain.
Network administrator should consider delegation when:o There is a need for hosts whose names are structured around department
affiliation
o Central company administrative body wants departments to handle their ownbusiness
o Network traffic is creating the need to distribute query load on multiple DNSdatabases
The parent zone will need to contain the A record and the NS record of the child zone,both records are created automatically when new delegation is created. The glue record (A
resource record) is hidden from view of the administrator, but it is still there.
The NS record is known as the delegation record, it is used for advertising of the nameserver and performs the actual delegation. The A resource record is known as the glue
record, it is needed if the authorized server is also in the delegated zone.
Delegation takes precedence over forwarding, i.e. if a server knows of a child that cananswer the query it will contact it not do a forwarding query request.
[3.16] Stub Zones
Stub zone is a shrunk copy of a zone updated at regular intervals that contains only the NSrecords belonging to the master zone. As a result of that, the server that hosts the stub
zone doesn't answer queries directly, instead it directs queries to name servers specified in
stub zone's NS records.
Stub zone keeps all NS records from master zone current. When administrator configures astub zone he needs to specify at least one name server whose IP address doesn't change.
Any further name servers added to the zone will be added automatically through zone
transfer. The administrator is unable to modify the stub zone data directly, the data is
modified automatically when the parent zone changes.
-
7/31/2019 MCSA-MCSE_2003_70-291
17/39
-
7/31/2019 MCSA-MCSE_2003_70-291
18/39
18
http://www.tomkitta.com/guides/70-270.cfm
Stale records (records that are no longer valid) can be left on the server. One common waythis can happen if client PC is not allowed to clean after itself, it is improperly disconnected
from the network.
The following futures of the DNS server in Windows 2003 help system administrators getrid of stale records:
o Records can have a time stamp attached to them in primary zone (as per DNSserver time), manually added records have time stamp value of zero indicating thatthey don't age
o Records are aged as per TTL. Secondary zones are scavenged by the primary server. If stale records persists on the system, they may cause following problems:
o Improper name resolution, a FQDN prevented from being used by another PCo Poor server performance, too many records to search and very large zone files to
transfer
[3.19] Using DNS monitoring tools
To monitor the resource impact of DNS server on the PC use performance monitor,perfmon.exe. The DNS object includes 62 different counters that computer can keep track
of.
For AD integrated zones there is an option of using AD native monitoring to trace thereplication traffic. Replmon.exe from Windows support tool is used to monitor and
troubleshoot AD replication.
The replication monitor will display 5 or more directory partitions, administrator needs tofind out in which one is DNS zone data stored. The command dnscmd /zoneinfo [domain
name] can be used to find zone information. Once directory partition is known,
administrator can use replication monitor to force zone replication - r-click the directory
and choose synchronize with all servers. Any general replication errors are displayed by
the replication monitor.
For more advanced AD debugging use repadmin utility provided as part of Windowssupport tools.
[3.20] Improving DNS server performance
By installing a caching only server close to the clients the load on the primary andsecondary server's is greatly decreased
[3.21] Other points
DNS cache is cleared each time DNS service is restarted. DNS cache can also be clearedusing dnscmd /clearcache from command line
DNS server test consist of a single reverse lookup of loopback device, if it fails make sureyou have record named '1' in reverse lookup zone 0.0.127.in-addr.arpa. Another test
checks for recursive DNS.
Zone transfer can be started if one of the four events occurs:o Refresh interval of the primary zone SOA record expireso The secondary server boots up (DNS service is restarted)o Change occurs in the configuration of the zone records on the primary server and it
notifies the secondary of the changeo DNS console is used at the secondary server for the zone to manually initiate a
transfer from its master server
-
7/31/2019 MCSA-MCSE_2003_70-291
19/39
19
http://www.tomkitta.com/guides/70-270.cfm
When zone transfer occurs it is by default incremental zone transfer (IXFR) whichtransfers only changed records, it is described in Request for Comments (RFC) 1995. Some
older DNS servers that don't support IXFR will use all zone transfer (AXFR) which is also
supported by Windows Server 2003. The older standard transfers the whole DNS database.
Stub and secondary zone update operations explainedo Reload - reloads the zone from the local storage of the DNS server hosting ito Transfer from Master - the server hosting the zone checks its SOA record for
expired data and performs a zone transfer from zones master server
o Reload from Master - this operation performs a zone transfer from the zonemaster server regardless of the serial number expire date in the zone's SOA record
Part 4: Implementing, configuring and troubleshooting DHCP servers
[4.1] Configuring DHCP server
DHCP server allows system administrator to automatically assign IP addresses, subnetmasks and other configuration information like DNS and WINS servers to client computers
on local network.
Through the use of DHCP server network administrators save time required forconfiguration and re-configuration of computers.
Administrator should install DHCP service on a computer that was assigned a static IPaddress (this prevents clients to look all over the subnet to get their addresses renewed)
You need to have administrative privileges to install and administer DHCP server You need to authorize your DHCP server if it is to be integrated in AD network (Person
authorizing the DHCP server needs to be a member of the enterprise administrators
security group). Stand alone DHCP servers can still be deployed but they should not share
subnet with authorized DHCP servers. Stand alone servers that are deployed together with
authorized servers are called rogue servers. The rogue server will automatically stop its
DHCP service when it detects authorized server on the subnet.
DHCP scope is a pool of IP addresses within a logical subnet which DHCP server assigns toits clients. Scopes provide for IP address management.
When an IP is offered for a client it is said that IP address is a lease. When the lease ismade it is said to be active. Leases are renewed for different reasons, client will try to
renew when 50% of old lease expires. The DHCP server has to have IP address compatible with the scope it is assigned, i.e. the
server itself has to be in the scope.
The 80/20 rule - to provide for fault tolerance in an environment with two DHCP servers,the first server (A) should have 80% of the addresses for his local subnet, 20% of addresses
for the subnet on which another DNS server (B) is present. The same assignment is
repeated on server (B) which gets 80% of addresses in its own subnet and 20% of
addresses in the subnet on which server (A) is present. This concept is applied when 2 or
more DHCP servers are present.
Reservations are placements in the scope reserved for specific computers. You reserve IPaddress for a specific network adapter using its MAC address. To create new reservationopen the scope in which you want to create new reservation r-click Reservations and
-
7/31/2019 MCSA-MCSE_2003_70-291
20/39
20
http://www.tomkitta.com/guides/70-270.cfm
select New Reservation. Reservations cannot be used interchangeably with manual static
configurations. Reservations don't work when address is simultaneously reserved and
excluded. Reservations are used as an alternative to static addresses for computers that
are no essential to network function (i.e. not critical servers).
The scope needs to be activated before the server can hand out addresses (for ADintegration it also need to be authorized). To activate a scope open the DHCP console,
select scope you want to activate, from actions menu select Activate. Exclusion range - group of IP addresses residing in the scope that administrator doesn't
wish to be leased to DHCP clients
DHCP is an extension of the Boot Protocol (BOOTP). Microsoft DHCP server can assignaddresses to BOOTP clients.
[4.2] DHCP scope options
DHCP options can be configured on reservation, scope and server level. To configureoptions for reservation, select it and from the actions menu choose 'Configure options'. To
configure options for a scope select scope options folder and then 'Configure options'. To
configure server options select server options folder and then 'Configure options'
There are more than 60 different options available for the DHCP server, the most common(important ones are):
o 003 Router - IP addresses of routers on the same as client subnet, used by client forpacket forwarding
o 006 DNS servers - IP addresses of DNS serverso 015 DNS domain name - domain name DHCP clients should use when resolving
unqualified names during DNS domain name resolution; allows for client dynamic
DNS update
o 044 WINS/NBNS servers - IP addresses of WINS serverso 051 Lease - special lease option for remote clients
Options set on the DHCP server take effect when clients renew or obtain new lease[4.3] DHCP scope futures
Scope name page - you can give your scope a name IP address range - you can define starting and ending IP address of the scope and the
subnet mask. You should choose consecutive address range of the subnet and later
exclude the computers with static addresses.
Add exclusions - these are the addresses that will not be leased to DHCP clients Lease duration - length of lease Configure DHCP options - whatever to configure DHCP options for the scope through
further pages in the wizard or later in the DHCP console, you can configure options at the
reservations level, scope level or server level. There are more than 60 different DHCP
options.
Router (Default Gateway) - optional, which default gateway should be assigned to DHCPclients
Domain name and DNS servers - optional, which domain will be assigned as parent andwhich DNS servers will be given to the DHCP client
WINS servers - optional, addresses of WINS servers that are to be assigned to the DHCPclient
-
7/31/2019 MCSA-MCSE_2003_70-291
21/39
21
http://www.tomkitta.com/guides/70-270.cfm
Activate scope - optional, whatever the scope will be activated after the DHCP wizardfinishes
[4.4] Managing DHCP server
To change the DHCP server status open the DHCP console, go to actions menu and selectone of Start, Stop, Pause, Restart and Resume
You can also use the Net command to change the status of DHCP server, the command linesyntax is Net [operation like start/stop/pause/continue] DHCP_server
You can manage DHCP server from command line using netsh command line tool, withdhcp subcommand option.
Superscope is an administrative grouping of scopes that is used to support multiple logicalsubnets also known as multinets on a single network segment. They exist on 1 physical
network and work with multiple logical networks. This method is used for DHCP server to
provide clients with addresses from multiple scopes. Administrator needs to delete the
superscope before deleting any scope that is contained within it. Superscopes group
scopes that can be activated together, it doesn't carry any details about the scopes.
To move a scope to a new addressing range first create a new scope with new range andthen activate it and deactivate the old scope. Either manually or by waiting make sure all
clients move to the new scope, delete old scope.
If a superscope is not defined on a server then only one scope can be active at a time. In order for the DHCP server to not assign already assigned IP address to a new client
DHCP has conflict detection (advanced tab of DHCP server properties) in which the server
pings the address it is about to assign in order to check whatever it is free.
Multicast scope - regular DHCP scopes to provide client configurations by allocating rangesof IP addresses from the standard classes (A, B, or C). The multicast address range uses an
extra address class, D, IP addresses from 224.0.0.0 to 239.255.255.255 for use in IP
multicasting. In every TCP/IP network, each host is gets own IP address, from regular
address classes. The unicast IP address is assigned before host can support and use
secondary IP addresses, such as a multicast IP address. Multiple PCs can share the same
multicast IP address. On private networks it is recommended to start with 239.192.0.0
range. When a packet is sent with destination that is a multicast address it gets delivered
to all PCs that have it. Multicast scopes are supported through the use of MADCAP
(Multicast Address Dynamic Client Allocation Protocol).
DHCP server performs backup by itself up every 60 minutes, you can also do manualbackup. Manual backup is performed from Backup command in the DHCP console. When
the backup is made the whole DHCP database is saved. Some things, like credentials are
not saved. The manual backup default location is %systemroot%\system32\dhcp\backup.
The following data is backed up: all scope information including superscopes and multicast
scopes, reservations, leases, all options. The database backup file is called DHCP.mdb.
o To change backup behaviour of DHCP server, one needs to edit the followingregistry keys:
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval\
o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupDatabasePath\
To migrate DHCP server all you need to do is move the database, simply back it up andthen restore it on the new computer
-
7/31/2019 MCSA-MCSE_2003_70-291
22/39
22
http://www.tomkitta.com/guides/70-270.cfm
Jetpack.exe is a tool that allows support for offline compaction and repair of Jet databasessuch as DHCP or WINS. You can use dynamic compacting of DHCP server database without
the need to bring server offline, but offline defragmentation is more efficient. Compacting
should be done whenever the database size grows beyond 30 Mb or you get corruption
errors.
Option class - they way DHCP server manage provided to clients within a scope. When anoption class is added, clients of that class can get class specific configuration options. Thereare two types of classes, Vendor classes and User classes.
o Vendor class is used to assign vendor specific options to clients that share commonvendor
o User class is used to assign options to clients that share user defined similarities The DHCP server has a default user class called 'Default routing and remote access'.
Options in this class apply only to clients that request address while connecting through
Routing and Remote access. You can set different options, for example you can assign
shorter leases to the clients connected remotely (this is option number 051 Lease).
To create your own user or vendor class open DHCP console and r-click the DHCP serverand select 'Define User classes'. After defining a new class you need to assign ID to it andoptions. On the client side you need to make sure that the clients know in what class they
are, you do this by executing ipconfig /setclassid. To view all classes allowed by the DHCP
server execute ipconfig /showclassid
[4.5] DHCP and DNS working together
Windows 2000 and later computers try to register their own A record but they ask DHCPserver to register PTR record
By default the DHCP server only attempts to update client records if such operation isrequested by the client computer
You can also configure the DHCP server to attempt to update A and PTR records regardlessof clients requests
By default the DHCP server discards the A and PTR records when the lease expires (you canset it so they are kept)
By default DHCP server will not perform dynamic updates on behalf of older Windowsclients that don't request updates to be done
The update settings are configured on the DNS tab of DHCP server properties DnsUpdateProxy is a security group that sets records updated/created by its members in
security less setting (objects created by members of this group have no security related
settings). When a DHCP server that is not a member of the group modifies or creates an
entry in the DNS, it becomes the owner of that entry and only it can change the entry. This
might create problems when for example, client cannot modify a record because server
took ownership of the record. The membership of the DHCP server in this group solves
stale record problems.
Usage of the DnsUpdateProxy group also might cause some problems if the DHCP serviceis installed on a DC since all records created are not secure (same holds for the A records
of the non-DC DHCP servers, but one can modify these manually giving them an owner). In
particular, the records created by DC netlogon service are not secure.
[4.6] Analyzing DHCP server traffic
Communication between DHCP server and DHCP client for lease:
-
7/31/2019 MCSA-MCSE_2003_70-291
23/39
23
http://www.tomkitta.com/guides/70-270.cfm
o Client seeking IP address brodcasts on the network DHCPDISCOVER messageo Any DHCP server that receives the message and has available IP addresses sends a
DHCPOFFER for a period of time called lease
o If no DHCP servers are available, the client can use APIPA or use alternativeconfiguration, older clients fail to initialize and continue to send DHCPDISCOVER
messages every 4 times per 5 minutes
o Client selects one of the offers and brodcasts DHCPREQUEST indicating its selectiono DHCP server sends DHCPACK message to the client with possible configuration
information like DNS server IPs
Communication between DHCP server and DHCP client for lease renewal:o Client computer sends DHCP Request message to the server that leased it the IP
address, it contains the FQDN of the client computer. The DHCP request message is
also used by the client to request dynamic updates from the DHCP server.
o If the DHCP server can be reached, it sends DHCPACK message back indicatingrenewal of the current lease (or remains silent)
o If the DHCP server cannot be reached then the client waits until it reaches therebinding state which usually occurs 7 days after last lease renewal. When thestate is reached the clients attempts to renew with any available DHCP server.
o If the server responds with DHCP offer message the client renews the lease andcontinues its operation
o If the lease expires and client doesn't renew it ceases to use the leased IP address.It then tries to obtain new IP address lease.
o DHCP Server can also issue DHCPNACK response indicating that the requested IPaddress is unavailable. In this case lease renewal fails and client is forced to initiate
new lease request process.
[4.7] DHCP audit logging
In its default configuration the DHCP server writes daily audit logs to the folder%systemroot%\system32\dhcp. The text files that are created there are named after the
day of the week they were created on. You can modify file location from the advanced tab
of the DHCP server properties. The files are in the format DhcpSrvLog-[3-letter day of the
week abbreviation].
You can turn logging off on the general tab of DHCP server properties. By default, thelargest log file is 1Mb and logging stops if the amount of disk drive space falls under 20
Mb.
The log file entry contains the ID, date, time, description, IP address, host name and MACaddress. A CSV format is used for columns, some may be blank.
The log file contains a summary of the event IDs that show up in the main body of the logfile up to event ID 50. Event IDs that have number above 50 are used for AD authorization
issues.
[4.8] DHCP problem resolution
The first step of fixing DHCP related problems is to make sure that there is no problemwith the client, use ipconfig command to verify connectivity. If an address conflict occurred
you will by warned of this by system tray warning popup as well as address conflict event
in system log.
-
7/31/2019 MCSA-MCSE_2003_70-291
24/39
24
http://www.tomkitta.com/guides/70-270.cfm
Dhcploc.exe can be used to locate DHCP servers including rogue servers, this utility is partof Windows support tools. For AD authorized servers only, use command netsh dhcp show
server.
The repair button on the remote connection information screen performs these functions:o Broadcast DHCP Request message to renew the lease, if this computer is a DHCP
client
o Flush the arp cache, the same thing as arp -do Flush NetBIOS cache, same as nbtstat -Ro Flush DNS cache, same as ipconfig /flushdnso Register computer with WINS server, same as nbtstat -RRo Register computer with DNS server, same as ipconfig /registerdns
If the computer fails to connect to DHCP server make sure the network medium is up andthe DHCP server is operational. Make sure the scope is active and that it still has leases
available for its clients.
DHCP server knows from which scope to assign address by looking at the address of the1542 compliant router added to the discovery packet sent out by the client computer (no
extra IP added means local subnet) If a client get an IP address from DHCP server, but it is from the wrong scope, verify with
dhcploc utility presence of competing DHCP servers. Make sure all authorized servers are
leasing from non-overlapping ranges. A single DHCP server can have multiple scopes active
on it, scope not native to DHCP server's subnet are used for remote clients. DHCP matches
remote clients to their scope when RFC-1542 compliant router or DHCP relay agent is
properly configured. The DHCP Request message contains field named 'Giaaddr' which
contains originating subnet, when it is empty client is assumed local and assigned address
from local scope.
For a server to hand out addresses it must be on the same subnet as its clients and DHCPservice must be bound to the connection, this is checked from advanced tab in server
properties.
Make sure scope is active and that scope's network ID matches that of DHCP server. Also,through it sounds trivial, make sure DHCP server has some addresses available for a lease.
To accommodate more users you can simply shorten the lease duration. Don't forget static
addresses exclusions and reserved addresses
If the problem lies within the DHCP database, you will need to reconcile the DHCP data forone or all scopes. The data is stored in detailed and summary form on DHCP server, when
reconciling the data in these two forms is compared.
You can also use the jetpack utility to perform database compaction or use netsh dhcpserver set databaserestoreflag 1
When the administrator needs to renew IP addresses on few computers he can issuecommand ipconfig /renew on each one of them, in the case there are more computers, it
is easier to just re-boot them using shutdown /i command line utility (show nice GUI
interface).
To get a mac address only quickly and of any computer, including remote PCs, use getmac/s /v [server name] command line utility
Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows
networks
[5.1] Chapter definitions
-
7/31/2019 MCSA-MCSE_2003_70-291
25/39
25
http://www.tomkitta.com/guides/70-270.cfm
Routing is the process of transferring data from one local area network to another localarea network
Bridge is a network connection that connects two or more network segments and sharestraffic as necessary according to hardware addresses. A bridge is a layer two device (data
link).
Router is a device that receives and forwards traffic according to software addresses. Arouter is a layer three device according to OSI model.
Network interface is a software object that connects to a physical device such as modemor network card
Demand dial interfaces - these are interfaces such as VPN, persistent dial-up connectionand PPPoE connection. New demand dial interfaces are added through Network Interfaces
node.
Windows includes software router called Routing and Remote access service. This is amultiprotocol router capable of LAN to LAN, LAN to WAN, VPN, NAT routing through IP
networks. It also supports routing futures such as IP multicasting, demand-dialing, packet
filtering, DHCP relay, build in support for RIP 2 and OSPF.
Unnumbered connections - connections in which one or both of the logical interfaces failto obtain an IP address. The unnumbered connections happen mostly with demand-dial
connections when one (or both) routers don't support APIPA
NAT stands for network address translation and is a service that is part of a router in whichthe header information in IP datagrams is modified by the router before being sent out.
This allows many computer with private addresses to share a single public IP and still be
able to surf the net.
[5.2] Routing with Routing and remote access
The server computer needs to be configured with Routing and remote access since it isinstalled in disabled state. It will detect all installed network adapters and configure them.
However, the system administrator will need to setup all additional VPN and dial-up
connections since they are not pre-configured during setup.
When you add a new network card to already configured Routing and Remote accessservice, you will need to add a new interface through Routing and Remote access console
The number of network segments to which R&R access can act as a router is limited by thenumber of interfaces installed on the server.
Routing and Remote access properties for the IP routing node:o The general tab allows the network administrator to configure R&R access service
as LAN router, demand dial router or remote access server.
o The security tab allows the network administrator to configure authenticationmethods, connection request logging and preshared keys for IPSec protocol. All
options set on the security tab are applied to remote access clients and demand
dial routers.
o The IP tab allows the network administrator to configure how IP packets are routedover LAN, remote access or demand-dial connections. You have an option to use
DHCP server to assign IP addresses to remote hosts. If the DHCP server is not on
the same PC as the R&R access service it must be connected through DHCP relay
agent. If you don't have a DHCP server close at hand you can use static address
pool, R&R access service will act as a DHCP server. The "Enable Broadcast Name
Resolution" check box when checked enables R&R access clients to resolvecomputer names on all network segments connected to R&R access server without
-
7/31/2019 MCSA-MCSE_2003_70-291
26/39
26
http://www.tomkitta.com/guides/70-270.cfm
the help of DNS or WINS servers, this option is enabled by default and it works by
permitting NetBT broadcasts from remote clients.
o The PPP tab allows the network administrator to authenticate and negotiate dial-up connections. You can enable or disable following options: Multilink connections,
Link control Protocol (LCP) extensions, software compression and Dynamic
Bandwidth Control with BAP or BACP, all options are enabled by default.
Multilink connections allow multiple physical links to operate as a singlelogical link increasing the bandwidth
Dynamic Bandwidth control with BAP or BACP when bandwidth demandschange multilink connections are created or dropped to allow for changes,
both protocols work together to provide bandwidth on demand (BOD)
Link Control Protocol (LCP) Extensions - support for advanced PPP futuressuch as callback, disable if client is older and cannot use these advanced
futures
Software compression - software based compression of data, leave onunless modem used can compress data at hardware level (no need to do
idle work at software level)o Logging tab allows administrator to select the events to be logged, by default only
errors are written to the log file. Log files are located in the %systemroot\tracing
directory.
IP routing properties, accessed from General Properties dialog box associated with generalsubnode of IP routing node
o Logging tab - which IP routing events are to be logged, by default only errors arelogged
o Preference levels tab allows the administrator to assign a priority to routescollected from various sources. When two different sources provide conflicting
routing information only one source's data can be entered into the routing table,
this data comes from the source with higher priority setting. The highest priority is
120, lowest is 1.
o Multicast scopes - add/remove multicast scopes (to add new scope provide itsname, base IP address and mask)
Routing and Remote access server supports SLIP and PPP for serial asynchronousconnections. PPP - Point-to-Point Protocol that provides advanced futures (like: IPX,
NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line
Internet Protocol (SLIP)
[5.3] Routing tables explained
There are three types of routes that one finds inside a routing table:o Default route - there is a single entry for this route in the table, the address
provided is used as a destination for packets whose address doesn't match any
other entry in the routing table. This route is indicated by both address and
network mask of 0.0.0.0
o Host route - provides route to a specific host or a broadcast address, this type ofroutes is marked by network mask of 255.255.255.255
o Network route - provides route to a specific network, this type of routes can have asubnet mask between 0.0.0.0 and 255.255.255.255
To view the routing table of any computer (for any computer has one) from command linetype route print
-
7/31/2019 MCSA-MCSE_2003_70-291
27/39
27
http://www.tomkitta.com/guides/70-270.cfm
Routing tables are organized into five columns, which are in the following order: Networkdestination, Netmask, Gateway, Interface and Metric
o Network Destination - router compares entries from this column with destinationaddress of every IP packet. The 0.0.0.0 entry is the default route, 127.0.0.1 is the
loopback device. Each entry with 224.0.0.0 refers to multicast route. Entries with
last octet of 255 represent broadcast addresses, the 255.255.255.255 is the limited
broadcast address which is general for all networks and routers, other broadcastaddresses are limited broadcast addresses.
o Netmask - the value of this column determines which part of the IP addresspacket's destination is compared to the entries in the Network Destination column.
The closest match determines the route that the packet will be given
o Gateway - the value represents the address the packet will take if this particularroute is chosen. The address should be different than the Network Destination
value on the same row in the table. The gateway is the direction a packet takes in
its voyage to the destination address (network destination). It is logical that the
direction one must take to arrive at X is different than X itself.
oInterface - the value of the local network interface that will be used to transportthe packet if this route is chosen
o Metric - the cost of using a route, lower metric values carry more weight comparedto higher values, so value of 1 is higher than 50. RIP uses the number of hops to
determine route's metric.
By default the computer will preset certain route entries, however to implement smoothcommunication with hosts that are outside broadcast range one must set up either static
or dynamic routing
Static routing is when administrator adds new routes to the routing table, routers do notshare routing information and tables have to be manually checked for accuracy. This
makes static routing difficult in large networked environments. Static routing works best
for small single path internetworks with 10 or less subnets. Static routing supports
unnumbered connections. Static routes survive server restart since they are persistent.
You can add new static routes from the Routing and Remote access console or using thecommand line, route add [destination address] mask [netmask] [gateway] metric [metric
cost] if [interface]. Please note that the static routes added with the command line utility
route are not persistent by default. To make them persistent use -p switch. If routes are
not persistent they are not listed under the 'static heading in the R&R access console.
To delete a route from command line use route delete [destination address] In real life static routes are rarely used since RIP is easy to configure. You might need to
use static routes for connections to remote routers that are intermittent since dynamic
routing protocols require too much communication over the link.
You should avoid placing default route for two or more routers that point to each othersince that puts unreachable traffic into an endless loop.
Dynamic routing uses RIP 2 or OSPF to share information between routers and ensure thatthe routing tables are build and kept accurate dynamically
There is nothing to be done as far as configuration is concerned by the administrator if therouter is physically connected to all network segments
[5.4] Configuring routing protocols
Windows Server supports four routing protocols, RIP, OSPF, multicast IGMP and DHCPRelay agent
-
7/31/2019 MCSA-MCSE_2003_70-291
28/39
28
http://www.tomkitta.com/guides/70-270.cfm
RIP (Routing Information Protocol) uses lowest cost route choosing, routes with costhigher than 15 are discarded, limiting the network size. RIP routers advertise their whole
tables to each other every 30 seconds.
RIP works best in small to medium sized networks with a maximum of 15 routers,multipath networks with dynamic topology are well suited for RIP.
The main advantage of RIP is its ease of use, its disadvantage is its limited hop based costestimate and 15 hop size limit
RIP can use simple password authentication that prevents attacker from polluting therouting tables, unfortunately passwords are plain text. You can configure list of routers
(peer filtering) from which your router is to accept RIP announcements (by IP address).
You can configure route filters on each RIP interface thus making routes that are reachable
from your network the only ones that will be considered for addition to the routing table.
By default RIP either uses broadcasts or multicasts (only in RIP 2). To prevent traffic frombeing sent to nodes that are not RIP routers system administrator can set RIP neighbors.
OSPF (open shortest path first) is an efficient protocol which uses shortest path firstalgorithm to compute routes. OSPF routers don't share routing tables, instead they rely on
a map called link state database of the internetwork. Neighboring routers form anadjacency.
The OSPF protocol can scale to very large networks due to no hop limit, fast convergencetimes, little network bandwidth and loop-free routes. Unfortunately it is not supported on
the 64bit edition of Windows 2003 server.
The changes to the network topology are sent to all routers in the network, whichrecompute their routing tables
The OSPF divides the network into areas (collection of continuous networks) which areconnected to each other through backbone. Each router keeps a link state database only
for areas to which it is connected. Area border routers connect to the backbone area and
other areas. OSPF also supports stub areas which contain only one entry and exit points.
DHCP relay agent is a routing protocol that allows client computers to obtain an addressfrom a DHCP server on a remote subnet. DHCP server send their DHCP Discover packets as
broadcasts that are blocked by routers, one either needs to deploy RFC 1542 compliant
router or a DHCP Relay Agent for these packets to get through to the other subnet. You
cannot use DHCP Relay Agent on a computer that is also running DHCP server, the NAT
(with automatic addressing turned on) or ICS. You install DHCP relay agent just like any
other protocol. Routers that are RFC 1542 compliant use BOOTP (boot protocol) for DHCP
packet forwarding.
[5.5] Demand-dial routing
You can enable the on demand-dial routing from the general tab of the Routing andRemote Access properties
You can set dial credentials, get unreachability reason, set IP demand-dial filters and dial-out hours from the actions menu. These options are only for the demand dial interface.
On the properties page of the demand-dial router you can set modem futures such assource phone number, dialing properties such as call frequency, security protocol used -
CHAP by default.
You can access port and device properties from the ports node. From this dialog box youcan configure your modem as to whatever it will be used for inbound or/and outbound
connections. You can also set devices phone number.
-
7/31/2019 MCSA-MCSE_2003_70-291
29/39
29
http://www.tomkitta.com/guides/70-270.cfm
Clicking on General node of IP Routing when demand dial is activated reveals some specificto dial-in commands (when one r-clicks on the demand dial interface):
o Update routes is used to update routes if RIP is installed. Static routes are updatedand are known as autostatic routes. Autostatic routes are used instead of normal
RIP router to router communication due to the nature of the connection (demand
dial).
o TCP/IP statistic allows administrator to see information similar to one provided byipconfig and netstat
o IP routing interface properties is a shortcut to another dialog box that has General,Multicast boundaries and Multicast heartbeat tabs
On the General tab "Enable IP Router Manager" is enabled by default, it isservice that is responsible for numerous futures such as ip packet filtering, if
you disable it the administrative status of the device changes to disabled.
Another option is "Enable Router Discovery Advertisements" check box, off
by default, it is a future in which network hosts send out router solicitations
to discover routers, it needs to be configured at the host. Pocket filtering is
handled by two buttons, Inbound and outbound filters. Part of packetfiltering is the "Enable fragmentation checking" check box, off by default.
Multicast boundaries tab - administrative barriers for forwarding of IPmulticast traffic. If boundaries didn't exist then IP multicast router would
forwards all appropriate IP multicast traffic. You can configure the boundary
using multicast scope or TTL in the IP header.
Multicast heartbeat tab - server listens for a regular multicast notificationfor a specified group address to verify that IP multicast connectivity is
available on the network. You can configure timeout interval and the group
address.
Demand dial router to router configuration options:o Connection endpoint addressing - end point of a connection that goes over a
public network must be identified by an endpoint identifier (such as a phone
number).
o Both ends of the demand dial connection must be configured for normal (bi-directional) traffic to flow, they both need R&R access to be running
o Authentication of the caller router is based on credentials that correspond to useraccount, authorization of the caller router is based on user permissions.
o The process of differentiating a router and a user calling is done by matching theuser name to the interface being called, it is a router calling if the user name
matches exactly the name of the demand dial interface on the answering router.
o Static routes are to be configured for both connection ends, the check box 'use thisroute to initiate demand dial connection' should be checked
[5.6] Configuring NAT
NAT - network address translation is a service that modifies packet header informationbefore sending them to their