MCSA-MCSE_2003_70-291

7/31/2019 MCSA-MCSE_2003_70-291

1/39

1

http://www.tomkitta.com/guides/70-270.cfm

7/31/2019 MCSA-MCSE_2003_70-291

2/39

2


Microsoft exam 70-291 preparation guide

Contents:

Part 1: Understanding Windows networks and TCP/IP

Part 2: Troubleshooting and monitoring TCP/IP

Part 3: Implementing, configuring and troubleshooting DNS serversPart 4: Implementing, configuring and troubleshooting DHCP servers

Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows

networks

Part 6: Managing network infrastructure and security

Preface

I have written this short preparation guide as a way for myself to ease studying for the Microsoft

70-291 exam titled: "Implementing, managing and maintaining a Microsoft Windows Server 2003

network infrastructure". I provide this guide as is, without any guarantees, explicit or implied, asto its contents. You may use the information contained herein in your computer career, however I

take no responsibility for any damages you may incur as a result of following this guide. You may

use this document freely and share it with anybody as long as you provide the whole document in

one piece and do not charge any money for it. If you find any mistakes, please feel free to inform

me about them Tom Kitta. Legal stuff aside, let us start.

Guide version 0.006 last updated on 17/06/2004

Part 1: Understanding Windows networks and TCP/IP

[1.1] Basic networking definitions

Network infrastructure - set of physical and logical components that allow for, amongother futures, security, management and connectivity

Physical infrastructure - is also known as network's topology, the physical layout ofhardware components and the type of hardware as well as the technology used with

hardware for data transmission.

Logical infrastructure - is the software that allows for communication over physicalinfrastructure, it includes services that run on the network like DNS

Network connection - is a logical interface between software and hardware layers Network protocol - is the language used for communication between networked

computers

Network service - is a program that provides features to hosts or protocols on the network Network client - is a program that allows a computer to connect to a network operating

system

Addressing - is the practice of maintaining a coherent system of addresses withinorganization's network that allow all computer to communicate

Name resolution - is the process of translating a computer name into an address and theother way around

Workgroup - is a simple grouping of resources which by default uses NetBIOS namingsystem. NetBIOS is used together with Common Internet File System (CIFS), an extension

of Server Message Block (SMB) protocol, to provide file sharing. There is no centralized

7/31/2019 MCSA-MCSE_2003_70-291

3/39

3


security in a workgroup environment. The default workgroup name is WORKGROUP. In the

absence of a WINS server the NetBIOS names are resolved using broadcasts to local

network segment.

Domain - is a collection of computers that share a common directory, security policies andrelationships with other domains. The name 'domain' is used both by grouping of

computers in AD and as names in DNS, they are different things.

Active directory - is a distributed database that provides directory service Remote access - is a connection that is configured for users that want to access resources

from non-local site. There are two types, VPN and dial-up.

Network Address Translation (NAT) - is the system which allows computers with privateaddresses to communicate with computers on the internet

NWLink - Microsoft implementation of Novell IPX/SPX protocol used by NetWare networks Certificate - is used for public key cryptography NetBT - NetBIOS over TCP/IP, provides for higher level communications such as SMB

(Server Message Blocks) and CIFS

CIFS - an extension of the SMB protocol that is used with basic file sharing. One of theadvantages of CIFS over SMB is the ability to operate directly over DNS without the use ofNetBIOS.

TCP/IP - most popular, scalable, routable and based on open standards protocol. Redirector - client component that decides whatever the request is to be serviced locally

or remotely. In Windows the redirector is called Client for Microsoft Networks. It uses

SMB/CIFS for communication.

[1.2] Network connection

Components that make up a connection: network clients, services and protocols Connections by themselves don't provide communication, it occurs through components

bound to the connection

Client for Microsoft Networks is by default bound to all local area connections, it allowsclient computers to perform CIFS related tasks

TCP/IP protocol is bound to all connections by default File and printer sharing for Microsoft Windows is installed and bound to all connections

by default

Advanced connection settings allow administrator to change the priority of eachconnection

Provider order tab in advanced settings dialog box allows administrator to change thenetwork providers order. This setting is for all connections. By default, Microsoft Terminal

Services is given priority over the Microsoft Network because Terminal Services are meant

to be used in place of all other connections.

In the provider tab one also finds print provider order, by default LanMan Print Services isgiven priority over HTTP Print Services

[1.3] Default TCP/IP Settings, APIPA

APIPA stands for automatic private IP addressing By default the IP address and DNS servers are to be obtained automatically from the DHCP

server

If the computer cannot get address automatically it uses APIPA to assign itself one

7/31/2019 MCSA-MCSE_2003_70-291

4/39

4


APIPA assigns PC address from the range 169.254.0.1 to 169.254.255.254, in use sinceWindows 98

Administrators can combine APIPA with alternate configuration, when IP can be obtainedfrom DHCP, APIPA turns itself off - no one can override DHCP obtained address with APIPA

To disable APIPA administrator can either configure alternative IP address or edit registrykey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface registry entry IPAutoconfigurationEnabled set to 0 and reboot

An all zero address might indicate that the IP has been released and never renewed When a computer fails to obtain APIPA address in the absence of DHCP server and static

address, the administrator should look for a hardware problem

[1.4] Management and monitoring tools

Connection Manager - allows creation of customized remote access connections Connection Point Services - Phone Book Service that needs IIS Network Monitor - pocket analyzer SNMP - Simple network management protocol, agents that monitor activity in network

devices and report to network management console. For use with both Windows and

UNIX, works with almost any network device.

WMI SNMP Provider - lets client applications to access static and dynamic SNMPinformation through WMI

[1.5] TCP/IP model

The TCP/IP model is the newer networking model, OSI Open System Interconnectionmodel is an older model

Network interface - is the layer in the communications process that describes standardsfor physical media, for example ethernet. In OSI model it is both Physical layer and Data

link layer.

Internet - is the layer in the communications process during which information ispackaged, addressed and routed to other network destinations. ARP is used for address

resolution, IP for addressing and routing data and ICMP for reporting errors and

exchanging limited control/status information. In OSI model this layer is called the

Network layer.

Transport - is the layer in the communications process during which the standards of datatransport are determined. TCP protocol with its guarantees of delivery and connectionless

unguaranteed but fast UDP protocol. This layer has the same name in the OSI model. Application - is the layer in the communications process during which end user data is

changed, packaged and sent to and from transport layer, for example telnet. In OSI we

have three layers, Session, Presentation and Application.

[1.6] OSI model

OSI stands for Open System Interconnection model, it is an older networking model 7 Application layer 6 Presentation layer 5 Session layer 4 Transport layer 3 Network layer

7/31/2019 MCSA-MCSE_2003_70-291

5/39

5


2 Data link layer 1 Physical layer Layers 7, 6, and 5 correspond to Application layer in TCP/IP model Layer 4 correspond to Transport layer in TCP/IP model Layer 3 corresponds to Internet layer in TCP/IP model Layer 2 and 1 correspond to Network Interface layer in TCP/IP model Protocols that were not originally part of the TCP/IP specifications are referred not by

position in TCP/IP model but by OSI model. For example NetBT is a session (or layer 5)

protocol.

[1.7] Protocols, their port numbers and layers in TCP/IP model they are in

Protocol number - is used to define a stream of data associated with a specific service The transport is provided by TCP and UDP protocols Internet layer protocols are ARP, IP and ICMP HTTP - hypertext transfer protocol TCP port 80 (application layer) SSL - Secure socket layers TCP port 443 SMTP - TCP port 25. Files stored in LocalDrive:\Inetpub\Mailroot SNMP - simple network management protocol used to provide information about TCP/IP

hosts, UDP port 161.

FTP - only basic authentication allowed, TCP port 20 (data) TCP port 21 (control). Filesstored in LocalDrive:\Inetpub\Ftproot (application layer)

POP - TCP port 110 DNS - UDP port 53 (query) TCP port 53 (zone transfer) NNTP - TCP port 119. Files stored in LocalDrive:\Inetpub\Nntpfile\Root PPTP - Point to point tunneling protocol TCP port 1723; protocol number 47 L2TP/IPSec - UDP ports 500, 1701 and 4500; protocol number 50 ARP, ICMP and IP (internet layer)

[1.8] IP addressing

Internet Assigned Numbers Authority (IANA) divides up non reserved portions of IPaddress space

IANA gives address blocks to local authorities such as ARIN which in turn give it to large ISP Private addresses are in ranges 10.0.0.0 - 10.255.255.254, 172.16.0.0 - 172.31.255.254,

192.168.0.0 - 192.168.255.254

IP addresses are just a representation of a 32 bit number broken into 8 bit parts for easeof visualization by the administrator

IP address is made up of two parts, network address and host address. Network prefix isthe number of bits in network id.

IP class assignmentso Class A 1-126.x.x.x, hosts supported 16777214, with mask 255.0.0.0o Class B 128-191.x.x.x, hosts supported 65534, with mask 255.255.0.0o Class C 192-223.x.x.x, hosts supported 254, with mask 255.255.255.0o Class D 224-239.x.x.x, reserved for multicast addressingo Class E 240-254.x.x.x, reserved for experimental use

Subnet mask is used to determine whatever the packet is destined for the current networkor not. It does that by masking the network part of the IP address. The PC proceeds byfinding his own network address using his IP and subnet mask in a bitwise AND operation.

7/31/2019 MCSA-MCSE_2003_70-291

6/39

6


Then the PC does a bitwise AND operation on the destination IP and his subnet mask to

determine foreign network address. If the addresses match then the packet is to travel on

the local network, if they don't then the packet is destined to a foreign address.

CIDR - this is a shorthand notation for a subnet mask, classless interdomain routingnotation. It counts the number of 1's in the subnet masks binary representation and is

displayed after the ip address, for example 192.168.2.12/24 means that the subnet mask is

255.255.255.0 since we have 24 1's in the subnet mask. It is not compatible with RIP v.1. Itis the name administrators commonly refer to when talking about supernetting since CIDR

is used to shorten routing tables.

Default gateway is the IP address of a routing device that accepts packets destined toother networks. Other networks are subnets that are not within the broadcast range of the

PC that contacts default gateway (itself it is within broadcast range).

Follow these simple steps to spot an IP address that is invalid:o Host without a subnet masko No unique network ID (per WAN) or no unique host name per LANo Neither network ID nor host ID can be all 1 (since that is the broadcast address)

[1.9] Subnetting and supernetting IP networks

Subnetting - occurs when one needs to divide default A,B or C class address space intosmaller spaces. The logical division is accomplished by extending the string of 1's in the

subnet mask.

Subnetting is used for: accommodating security needs, physical topology, limitation ofbroadcasting

Number of hosts on a subnet = 2^(32-subnets # of 1's)-2. We subtract 2 since one addressis needed for network ID and one for network broadcast

Host ID with all 0's is the network ID and host ID with all 1's is broadcast address Supernetting - occurs when one wants to combine default A, B or C class address spaces

into one large space. This method allows for more efficient allocation of network address

space.

In supernetting's major difference from subnetting is the removal of 1's from the networkaddress. Thus one might have /23 /22 /21 /20 supernet masks.

Conversion from binary to decimal and back is based on the power each system uses, 2 forbinary 10 for decimal and so on. The position of a digit in a number, starting from zero,

determines to which power the base is raised. The value of the digit is the number by

which the base to the power is multiplied by. Sum all the digits to get the number in

decimal. For example number 123 in base 8 is 1*8^2+2*8^1+3*8^0 = 83 in decimal. To

minimize errors it is best to use a calculator.

Variable length subnet masks (VLSMs) - allow for subnets to be subnetted themselvesmaking the use in large organizations of network address space more efficient. They allow

administrators to create subnets of varying sizes.

Classless Inter-Domain Routing (CIDR - defined in RFC 1519) using variable length subnetmasks (VLSM) was created to allow for greater flexibility with routed IP networks, to allow

for the accelerating expansion of the Internet.

VLSMs use Subnet IDs to create subnets of different sizes, they are not compatible with oldrouting protocols like RIP 1

[1.10] Other points

7/31/2019 MCSA-MCSE_2003_70-291

7/39

7


Administrator can install on a computer file and print services for Macintosh but only printservices for Unix

TCP/IP is installed by default by Windows setup The following are installed as part of simple TCP/IP services: Character Generator,

Daytime, Discard, Echo, Quote of the day

The MAC address cache on a computer can be cleared manually (it refreshes itself every 2minutes) by issuing arp -d command

Most computers on the network use DHCP for addressing as it produces less human errorthan static addressing. Static addressing is used by servers.

Part 2: Troubleshooting and monitoring TCP/IP

[2.1] Analyzing traffic using network monitor

Frame is an encapsulation of network interface layer (layer 2) data. Each frame containssource and destination computer addresses, header of the protocol used to send data and

data itself.

Packet is an encapsulation of internet layer (layer 3) data There are two versions of Network Monitor, the basic version ships with Windows Server

2003. Network administrator needs to purchase the advanced version from Microsoft.

Advanced version can capture data from all devices on a network provided the

administrator used hubs not more common switches.

Network Monitor is made up of two components, administrative tool called NetworkMonitor and an agent called Network Monitor Driver

Network Monitor Driver can be installed by itself on windows XP/2000/2003 PCs in thesame manner as one installs a new protocol

The monitor can be used to find NIC's MAC address, computers GUID and many otheruseful information

Parsing is the process of reading, analyzing and describing the contents of frames.Administrator can add new parsers to network monitor by adding parser dll files into

%systemroot%\system32\Netmon\Parsers folder and modifying parser.ini file in

%systemroot%\system32\Netmon folder. By default network monitor supports over 90

protocols.

[2.2] Problems with TCP/IP connections

Network diagnostics is a graphical tool that administrator can access from help andsupport tools menu. Users can save output to a file for examination by networkadministrator.

Netdiag is a command line tool that is used to run different network tests. Administratorneeds to install the tool first from the Windows CD, the support tools file is called

suptools.msi.

Tracert - shows the path a packet takes to reach given destination, this is done by settingdifferent TTL values in the IP header of ICMP echo requests. Up to 30 hops, tells

administrator when connectivity stops.

Pathping - as tracert but shows the path that a packet takes to reach a given destination,however it also shows detailed analysis of traffic. Used to troubleshoot erratic network

behaviour such as packets being delayed, where tracert is used for network connectivity.

7/31/2019 MCSA-MCSE_2003_70-291

8/39

8


Arp - used to show the Arp cache on the PC. Sometimes local network computers can havewrong MAC addresses of each other cached and thus cannot communicate, use arp to

check whatever addresses are correct. To cleat arp cache use arp -d command. Arp -a is

used to check hardware address mappings, if it checks out look for hardware problem

If the administrator is able to ping loopback address, PC own address and the localgateway but no other PCs the problem is most likely with arp cache being corrupted.

Troubleshooting steps: loopback, local PC, default gateway, remote host by IP, remotehost by name.

Part 3: Implementing, configuring and troubleshooting DNS servers

[3.1] Differences between DNS and NetBIOS

NetBIOS (Network Basic Input Output System) is not a naming system, it is an API thatprovides naming and name resolution services

DNS is the preferred name resolution system in Windows, but it needs configuration unlikeNetBIOS

NetBIOS is used for browsing Microsoft Windows Network through My Network Places andconnecting to shares using UNC paths (File and Print for Microsoft Networks)

NetBIOS name space is flat, while DNS is hierarchical NetBIOS name - used to identify a NetBIOS service that is listening on the first IP that is

bound to the adapter

Maximum computer name length in NetBIOS is 15 bytes (characters) while in DNS hostname can be up to 63 bytes and FQDN up to 255. When the computer name is longer than

15 characters then the NetBIOS name is the computer name's first 15 characters.

To view NetBIOS PC name go to system properties, network identification, properties andmore button

Host name - the first label of a FQDN, it is just about any network interface with an IPbound to it

Primary DNS suffix - also known as primary domain name or the domain name, specifiedon the computer name tab

FQDN - DNS name that uniquely identifies the computer on the network. It isconcatenation of the host name, primary DNS suffix and a period. The full computer name

is a type of FQDN, the same computer can be identified by more than one FQDN but only

the FQDN that concatenates the host name and primary DNS suffix represents the full

computer name.

NetBIOS resolves names through WINS server, Local NetBIOS cache, NetBIOS broadcast,LMHOSTS file

DNS resolves names through DNS server or Hosts file (which is part of client cache). Entriesadded to the hosts file are immediately loaded into resolver cache.

Both LMhosts and hosts files are located in %systemroot%\system32\drivers\etc folder Nbtstat is used to interact with NetBIOS from command line, -c switch lists local cache

contents, -R purges the cache, view cache, use nbstat -n

DNS is required for Windows 2000/2003 domains (AD) and internet NetBIOS is needed by older Windows operating systems, workgroups in Windows

95/98/Me/NT

NetBIOS is enabled by default for all local area connections, administrator can disableNetBIOS to increase security from TCP/IP properties screen, but users will no longer beable to use computer browser service

7/31/2019 MCSA-MCSE_2003_70-291

9/39

9


Windows Server 2003 client computer always tries to resolve names using DNS beforeNetBIOS

[3.2] DNS as part of Windows Network

DNS is a hierarchical system based on a tree structure called DNS namespace Each DNS namespace has to have a root that can have unlimited number of subdomains.

The root is an empty string

Every node in the DNS namespace has a specific address by which it can be identified,called a FQDN

The dot is the standard separator between domain lables. The dot also separates the rootfrom the subdomains, but is usually omitted by end-user and automatically added by DNS

client service during a query.

On the internet the DNS root and top-level domains are under control of InternetCorporation for Assigned Names and Numbers (ICANN)

There are three types of internet top-level domains, organizational, geographical andreverse (in-addr.arpa)

DNS server can be authorized for one or more zones which contain one or more domains.Server is said to be authorized for a zone if it hosts the zone as primary or secondary

server.

When client or DNS service are stopped, their caches are cleared DNS client is installed by default, server component is not A forwarder is a DNS server that is used to resolve queries external to the server using it A conditional forwarder is a DNS server that examines the domain name of the query and

forwards it (the query) to specific server based on name asked in the query. All forwarder

options are set from the forwarders tab on the DNS server properties dialog box.

[3.3] DNS components

DNS zone is a portion of a DNS namespace for which DNS server is authorative. A servercan be authorative for one or more zones and each zone can contain one or more

domains. Zone files store resource records, they are usually text files but on Windows

2000/2003 administrators have an option of active directory integrated zones.

DNS resolver is a service that uses DNS protocol to query for information from DNSservers. On Windows 2003 this is done by DNS Client Service

The third component is the DNS server itself. Above breakdown hold for any DNSimplementation.

[3.4] DNS server query process

Each query message contains the following information:o DNS domain name as FQDNo Query type, resource record by type or specialized type of query operationo Specified class for the DNS domain name

When user wants to resolve an address the first place DNS client service looks in is user'scomputer local cache and hosts file

7/31/2019 MCSA-MCSE_2003_70-291

10/39

10


If local resources don't resolve the name, DNS client uses server search list to querypreferred DNS server, if it is unavailable alternate DNS servers are used according to their

positioning on the server preference list

The DNS server after receiving a query first checks to see whatever it is authorative for thedomain in question, if it is not, it checks local cache for already performed queries. If that

doesn't resolve as well, a recursive query is performed.

For recursive queries DNS server needs to be configured with Root Hints, which by defaultare stored in file cache.dns in %systemroot%\system32\dns folder

Server asks the appropriate root server for an address of more knowledgeable server, thenit asks that server etc. till it gets the answer. It is like walking the namespace tree.

The most common responses to the client are: An authorative answer, a positive answer,referral answer and negative answer.

If recursion is disabled on the server it will send a referral answer back to the client. Theclient will need to perform iteration (repeated query to different DNS servers - DNS tree

walk) to get the answer it seeks.

After a query client gets a positive answer it is frequently authorative the first time around,while consecutive answers are non-authorative. This is due to DNS server caching of theoriginal query.

Reverse query - is performed by taking an ip address in the form a.b.c.d and presentingquery to the DNS server in the form d.c.b.a.in-addr.arpa. ARPA stands for Advanced

Research Projects Agency. Due to lack of vision the first DNS implementation didn't

support reverse queries, PTR records are just pointers to A records.

[3.5] DNS client query process timeout

DNS client sends a query to preferred DNS server and waits for 1 second for response If no response is received the client sends a query to the first server on all adapters and

waits for 2 seconds

If there is still no response, client sends a query to all DNS servers on all adapters and waitsfor 2 seconds

If no response continues client sends query to all servers again and waits for 4 seconds,then again and waits for 8 seconds

If after performing all of above steps client didn't get any response, it returns time out tothe calling process

[3.6] Configuring DNS server

Network administrator can create two types of zones, forward or reverse lookup. Inforward lookup zone the FQDN is mapped to an IP address, this is a conventional zone. In

reverse lookup zone the IP address is mapped to FQDN

There are three types of DNS server roles with respect to a zone (i.e. we look at the zoneand if our server is primary for that zone we say we have DNS server in primary role,

however the same server can be secondary for a different zone (call it B) as well, in which

case it is said to be in secondary role for zone B):

o Primary - provides original data, can be updatedo Secondary - provides a copy of original data, cannot be updatedo Stub - copy of a zone containing only those resources records necessary to identify

the authorative DNS server for the master zone, enables parent zone to keepupdated list of name servers in the child zone

7/31/2019 MCSA-MCSE_2003_70-291

11/39

11


o Caching only - no zones at all stored on the server When administrator wants to decrease the amount of name resolution traffic while

avoiding zone transfer traffic install caching only server

When DNS server is installed it is automatically configured to act as a caching only server When a zone is created it automatically has in it SOA and NS records To view the contents of the DNS server cache administrator needs to select 'Advanced'

from view menu In the resource record file lines that are blank or start with ; (semi-colon) are ignored by

the DNS server

Master server is the server from which secondary server got zone information (can be aprimary server or another secondary server)

When DNS server zone data is stored in AD (AD integrated) all DNS servers become peers In non-Microsoft implementations of DNS server the secondary zone is also known as the

slave zone, while the primary zone is also known as the master zone

[3.7] Resource records

Resource records have the following syntax: Owner TTL Class Type RDATA Owner - the name of the host or the DNS domain to which this resource record belongs Time to live (TTL) - A 32 bit integer representation of the time the record should be cached Class - protocol family in use, optional field, IN (internet class) for Windows based DNS

service

Type - for example A or TXT RDATA - this is where actual resource record data is stored

[3.8] Basic resource record types

Host (A) - most common record type, used to associate computers to IP addresses.Administrator can add them manually, they can be added by DHCP Client service, updated

by proxy for older Windows OS and DHCP on Windows Server 2003.

Alias (CNAME) - also known as canonical names. These records allow computers to use analternative name to point to a host. They are quite often abused. They are recommended

for use when a generic service such as ftp needs to resolve to a group of computers or

when renaming a host.

MX - these are mail exchange records and they point to a mail servers for a given domain,more than one are used for fault tolerance (if the company can afford extra hardware and

software needed)

PTR - pointer records are used to perform reverse lookup. Reverse lookups are performedin the zones with root in-addr.arpa. Same methods of creation as an A record - they are

opposite of each other.

SRV - service locator records are used to specify location of services in a domain. WindowsServer 2003 AD uses SRV records, all the records needed by AD can be found in

Netlogon.dns in %systemroot\System32\Config folder, if the records need fixing use

netdiag /fix.

NS - name server record is used to indicate which DNS server(s) are designated asauthoritative for the zone. Any server specified in the NS record is considered an

authoritative source by other servers for given zone. It is able to answer with certainty any

queries made for names included in the zone.

7/31/2019 MCSA-MCSE_2003_70-291

12/39

12


SOA - start of authority indicates the name of origin for the zone and contains the name ofthe server that is the primary source for information about the zone. It also indicates other

basic properties of the zone like the primary DNS server, responsible person, serial

number, refresh interval, retry interval, expire interval and TTL. SOA record is always the

first record in any standard zone.

[3.9] Configuring client computers for use of DNS

In order to configure DNS on a client system an administrator needs to do three things:o Administrator needs to set host name for each computer that is going to use DNS,

it can have up to 63 bytes (for NetBIOS compatibility up to 15 bytes (characters))

and can only contain letters numbers and '-', it is not case sensitive

o Administrator also needs to set primary DNS suffix for each computer, the suffixtogether with the host name forms a FQDN, it is selected from the system

properties -> computer name -> change button -> More, by default it is the same as

the AD name in which the PC resides

o Finally, administrator need to write a list of DNS servers that the client is to use inorder, starting with preferred DNS server

Administrator may configure connection specific DNS suffix for each adapter on the DNSclient PC, this is done from Advanced TCP/IP settings dialog box, it gives to different FQDN

to the same computer so it can communicate on different subnet in addition to its full DNS

computer name. For each FQDN and for computer name an A and PTR records are created

in appropriate zones and DNS servers.

If network administrator configures DNS suffix search list then the computer will be able toresolve single-label unqualified names and multiple label unqualified names. By default,

the search is performed using primary domain suffix and, if applicable, connection specific

suffixes.

The ipconfig /displaydns command shows DNS cache on client, ipconfig /flushdns clearsDNS cache

When a query is submitted with an unqualified name the client service by default adds toit the primary DNS suffix and checks the query. If that doesn't work the client adds

connection specific DNS suffixes and retries. If there is still no positive response, client

adds the parent suffix of the primary DNS suffix to the name and does the final check.

If the administrator is only able to ping the user computer by IP (from another PC), he cantry to use ipconfig /registerdns on Windows XP/2000/2003

[3.10] Updating of client records in the DNS

Windows server 2000/2003 and BIND 8.1.2 or later can accept dynamic updates of A andPTR records performed by clients or on behalf of clients by DHCP server.

By default, clients with static IP address attempt to update both A and PTR records for allIPs. Registration is based on domain membership settings.

Windows 2000/XP/2003 computers with dynamic address (assigned by DHCP) attemptonly to update their A records (PTR left for DHCP server to update if needed). The clientcontacts the server every 24h to update the mapping unless one of the following occurs:

o Computer name changes

7/31/2019 MCSA-MCSE_2003_70-291

13/39

13


o Member computer is promoted to the role of DCo One of the commands listed is used: ipconfig /release, ipconfig /renew, ipconfig

/registerdns

o When the local IP address changes, including IP address lease from the DHCP server Computers with operating system earlier than Windows 2000 (i.e. 95/98/Me) that use

dynamic address have the DHCP server do all the work (both A and PTR records due to

client unaware of dynamic update functionality). User can force registration by client usingipconfig /registerdns

[3.11] DNS server properties

Interfaces - which IP addresses should server computer listen for requests, by default all IPaddresses

Forwarders - allows for setting up upstream DNS servers that current DNS server willforward queries to. The process of forwarding selected queries is called conditional

forwarding. This tab allows the administrator to disable recursion (on per domain basis) on

queries that have been sent to forwarder (by default if forwarder fails to resolve local

server tries to resolve using recursion). When DNS server A has forwarder server B set and

server A has disabled recursion then server A is called a slave server since it is totally

dependent on server B (forwarder) for queries it cannot resolve locally. The default

timeout for forwarded query is 5 seconds.

Advanced tab - allows enabling and disabling of special futures. If administrator disablesrecursion then it is disabled for all queries and forwarders are disabled as well.

Root hints - this tab contains copy of information found in%systemroot%\system32\dns\cache.dns file. The list of root servers rarely changes,

network administrators can get the latest file one from

ftp://rs.internic.net/domain/named.cache. Administrator should delete this file if the DNS

server is a root server, in which case this screen is disabled.

Debug logging - allows network administrator to troubleshoot his DNS server by loggingselected incoming and outgoing pockets. Debug logging in processor and resource

intensive operation.

Event logging - allows network administrator to restrict the events written to the DNSevent log

Monitoring - basic functionality tests (2) are performed here. The first test is reverse querytargeted at self, the second test does reverse query targeted at root DNS server.

Administrators are allowed to schedule these tests to be performed between certain time

intervals.

Security - this tab is available only if the DNS server is also a domain controller and allowsone to set the settings for the users that are given permission to view edit and set DNS

zones data.

[3.12] Configuring Zone properties

General tab - used to configure zone type, zone file name, dynamic updates and aging.Administrators can pause name resolution for a zone. AD integrated zones have replication

settings enabled, administrator can select to which servers DNS replication data is beingsent. There are three dynamic update settings for AD integrated zones, none, non-secure

7/31/2019 MCSA-MCSE_2003_70-291

14/39

14


and secure. Aging is the process of placing a time stamp on a dynamically registered

resource record and then tracking record age. Scavenging is the process of deleting

outdated records. When aging and scavenging are enabled then the zone files are not

compatible with Windows DNS servers that are not at least Windows 2000.

Start of authority (SOA) tab - administrator can set a serial number which acts as arevision number, this is used to synchronize zone transfers. Primary server box contains

the full name of the server, it must end with a period. Responsible person is the domainmailbox name for the responsible person, should always end with a period. Refresh

interval is the amount of time the secondary server will wait before checking the master

server for an updated copy of the zone, by default it is 15 minutes. Retry interval is the

amount of time, default 10min secondary server waits before re-trying zone transfer.

Expires after is the amount of time secondary server without contact with master server

continues to answer queries, default is 1 day after that data is unreliable. Minimum

(default) TTL this is the time to live applied to all resource records in the zone, default is 1

hour. TTL for this record is the TTL for the SOA resource record, overrides general TTL

setting above this box.

Name Servers tab - this tab allows administrator to create NS resource records, they canbe created only here (unless manually created). Every zone must contain at least one NS

record. In Windows Server 2003 for primary zones the zone transfer is allowed by default

only to the servers specified in the Name Servers tab.

Security tab - ACL that defines who can manage and modify zone file data. WINS tab - used to configure WINS servers to aid in name resolution. When administrator

configures WINS, a WINS resource record is added to the zone database. If WINS and DNS

servers are set for forward and reveres zones, then data is added to both forward and

reveres zones.

Zone transfer tab - allows the system administrator to restrict the servers to which zonedata will be transferred. Primary servers have zone transfers either disabled or limited to

the NS tab servers. Administrator can also specify the servers they want data to be

transferred to by IP address. Secondary servers by default don't allow zone transfers, need

to enable them 1st. The 'to any server' setting was enabled on Windows 2000, but was a

huge security hole. Administrator can also notify the secondary servers of a zone file

change, notification is enabled by default. There is no need for notification in AD

integrated zones. If the server to which DNS data is to be transferred has multiple IP

addresses on the same subnet, then they all have to be included for transfers to be

successful.

[3.13] Configuring Zone properties - AD integration

Application directory - is replicated among DC, applicable to DNS application directoriesare DomainDnsZones and ForestDnsZones. The name of each application directory is the

previous name concatenated with the FQDN, for example DomainDnsZone.microsoft.com.

The domain application directory is replicated to domain servers, forest application

directory is replicated to all servers in the forest. Administrator can add new application

directories for the use of DNS server using dnscmd [server] /createdirectorypartition [full

partition name (FQDN)] to enlist other DNS servers in the partition, administrator needs to

issue command dnscmd [server] /enlistdirectorypartition [full partition name (FQDN)]

There are no application directories on Windows 2000 (this is new to Windows 2003) To

work with application directories administrator needs to be a member of the enterpriseadministrators security group.

7/31/2019 MCSA-MCSE_2003_70-291

15/39

15


There are four options for zone data replication when the administrator chooses to useAD-integrated zones. On the general tab of zone properties a button is available to change

zone replication scope when the zone is AD-integrated. Zone data can be replicated

o To all DNS servers in the AD forest - broad scope of replicationo To all DNS servers in the AD domaino To all DC in AD domain [domain here] - select if Windows 2000 DNS servers are to

load AD zoneo To all DC specified in the scope of the following application directory - replicates as

the application directory specified, if zone is to be stored in specified application

directory partition the DNS server hosting the zone must enlist in the application

directory partition that contains that zone.

Secure dynamic updates can be performed only in AD-integrated zones, they use Kerberosfor security. Only computers that have Windows XP/2000/2003 are capable of secure

updates.

DnsUpdateProxy group - used to solve a problem that occurs with secure dynamicupdates. The computer that registered the record becomes its owner and it is the only PC

that can update it. Thus, for example if DHCP server registers A record for a PC, it becomesits owner, not the PC to which A record points. When DHCP server is a member of

DnsUpdateProxy group it is prevented from taking the ownership of the record - secure

less entry exists till the real owner takes its ownership.

Only primary zones can be AD-integrated. Secondary zones are always stored as text files,there are no AD-integrated secondary zones since AD-integration makes all servers into

peers.

[3.14] Advanced DNS server properties

Disable recursion - DNS server uses recursion to resolve client queries if the disableddefault state is left as is. When the option is enabled the DNS server does not answer the

query for the client but instead provides the client with referrals. When recursion is

disabled the DNS server will not be able to use forwarders.

BIND Secondaries - DNS server does not use fast transfer format when performing a zonetransfer to a secondary server based on BIND. This allows for a compatibility with older

versions of BIND, versions 4.9.4 and later support fast zone transfer and this option should

be disabled for these. The fast transfer format is efficient, it allows data compression and

multiple record transfer per TCP message, it is always used among Windows based DNS

servers. This option is enabled by default.

Fail on Load if Bad Zone Data - when this option is disabled (default setting) the DNSserver will load zone even if errors are found in the database file. Any errors that occur will

be logged. When option is enabled damaged zone database does stop load operation dead

cold.

Enable netmask ordering - when selected (default setting) this option makes sure thatwhen a client query matches multiple A records the one in client's subnet is returned first

in a response list that contains all matching records. This option is also sometimes referred

to as LocalNetPriority option (this comes from same referral in dnscmd utility).

Enable round robin - this setting (enabled by default) ensures that for a query thatmatches multiple A records the first entries in the returned response list rotate. This

method is used as a poor man's network load balancing. Local subnet priority is taken into

consideration before round robin is. When round robin is disabled records are returned inthe order they are in the zone file.

7/31/2019 MCSA-MCSE_2003_70-291

16/39

16


Secure cache against pollution - this setting (enabled by default) prevents the DNS serverform accepting referrals that might be polluting its cache or be insecure. The server will

cache only these records that have a name that corresponds to the domain for which the

original queried name was made, any other are discarded.

Name checking - the default setting of Multibyte (UTF8) ensures that the DNS serververifies that all domain names confirm to the Unicode Transformation Format (UTF). Use

strict RFC if the server cannot work with UTF, other two options are only for specialcircumstances (they are: all names and non-RFC).

Load zone data on startup - specifies from where initial zone data is to be loaded from, bydefault it is from active directory and registry. Another storage option is to use the registry

or a file. The file is from BIND based DNS servers and is usually named Named.boot in

older BIND 4 format (not BIND 8).

Enable automatic scavenging of stale records - this option is disabled by default, whenenabled DNS server will perform scavenging of stale records automatically in pre-defined

time intervals.

[3.15] Creating zone delegations

When administrator delegates a zone he assigns a portion of authority over main DNSnamespace to subdomains within main namespace. The responsibility is passed from the

parent domain to the subdomain.

Network administrator should consider delegation when:o There is a need for hosts whose names are structured around department

affiliation

o Central company administrative body wants departments to handle their ownbusiness

o Network traffic is creating the need to distribute query load on multiple DNSdatabases

The parent zone will need to contain the A record and the NS record of the child zone,both records are created automatically when new delegation is created. The glue record (A

resource record) is hidden from view of the administrator, but it is still there.

The NS record is known as the delegation record, it is used for advertising of the nameserver and performs the actual delegation. The A resource record is known as the glue

record, it is needed if the authorized server is also in the delegated zone.

Delegation takes precedence over forwarding, i.e. if a server knows of a child that cananswer the query it will contact it not do a forwarding query request.

[3.16] Stub Zones

Stub zone is a shrunk copy of a zone updated at regular intervals that contains only the NSrecords belonging to the master zone. As a result of that, the server that hosts the stub

zone doesn't answer queries directly, instead it directs queries to name servers specified in

stub zone's NS records.

Stub zone keeps all NS records from master zone current. When administrator configures astub zone he needs to specify at least one name server whose IP address doesn't change.

Any further name servers added to the zone will be added automatically through zone

transfer. The administrator is unable to modify the stub zone data directly, the data is

modified automatically when the parent zone changes.

7/31/2019 MCSA-MCSE_2003_70-291

17/39

7/31/2019 MCSA-MCSE_2003_70-291

18/39

18


Stale records (records that are no longer valid) can be left on the server. One common waythis can happen if client PC is not allowed to clean after itself, it is improperly disconnected

from the network.

The following futures of the DNS server in Windows 2003 help system administrators getrid of stale records:

o Records can have a time stamp attached to them in primary zone (as per DNSserver time), manually added records have time stamp value of zero indicating thatthey don't age

o Records are aged as per TTL. Secondary zones are scavenged by the primary server. If stale records persists on the system, they may cause following problems:

o Improper name resolution, a FQDN prevented from being used by another PCo Poor server performance, too many records to search and very large zone files to

transfer

[3.19] Using DNS monitoring tools

To monitor the resource impact of DNS server on the PC use performance monitor,perfmon.exe. The DNS object includes 62 different counters that computer can keep track

of.

For AD integrated zones there is an option of using AD native monitoring to trace thereplication traffic. Replmon.exe from Windows support tool is used to monitor and

troubleshoot AD replication.

The replication monitor will display 5 or more directory partitions, administrator needs tofind out in which one is DNS zone data stored. The command dnscmd /zoneinfo [domain

name] can be used to find zone information. Once directory partition is known,

administrator can use replication monitor to force zone replication - r-click the directory

and choose synchronize with all servers. Any general replication errors are displayed by

the replication monitor.

For more advanced AD debugging use repadmin utility provided as part of Windowssupport tools.

[3.20] Improving DNS server performance

By installing a caching only server close to the clients the load on the primary andsecondary server's is greatly decreased

[3.21] Other points

DNS cache is cleared each time DNS service is restarted. DNS cache can also be clearedusing dnscmd /clearcache from command line

DNS server test consist of a single reverse lookup of loopback device, if it fails make sureyou have record named '1' in reverse lookup zone 0.0.127.in-addr.arpa. Another test

checks for recursive DNS.

Zone transfer can be started if one of the four events occurs:o Refresh interval of the primary zone SOA record expireso The secondary server boots up (DNS service is restarted)o Change occurs in the configuration of the zone records on the primary server and it

notifies the secondary of the changeo DNS console is used at the secondary server for the zone to manually initiate a

transfer from its master server

7/31/2019 MCSA-MCSE_2003_70-291

19/39

19


When zone transfer occurs it is by default incremental zone transfer (IXFR) whichtransfers only changed records, it is described in Request for Comments (RFC) 1995. Some

older DNS servers that don't support IXFR will use all zone transfer (AXFR) which is also

supported by Windows Server 2003. The older standard transfers the whole DNS database.

Stub and secondary zone update operations explainedo Reload - reloads the zone from the local storage of the DNS server hosting ito Transfer from Master - the server hosting the zone checks its SOA record for

expired data and performs a zone transfer from zones master server

o Reload from Master - this operation performs a zone transfer from the zonemaster server regardless of the serial number expire date in the zone's SOA record

Part 4: Implementing, configuring and troubleshooting DHCP servers

[4.1] Configuring DHCP server

DHCP server allows system administrator to automatically assign IP addresses, subnetmasks and other configuration information like DNS and WINS servers to client computers

on local network.

Through the use of DHCP server network administrators save time required forconfiguration and re-configuration of computers.

Administrator should install DHCP service on a computer that was assigned a static IPaddress (this prevents clients to look all over the subnet to get their addresses renewed)

You need to have administrative privileges to install and administer DHCP server You need to authorize your DHCP server if it is to be integrated in AD network (Person

authorizing the DHCP server needs to be a member of the enterprise administrators

security group). Stand alone DHCP servers can still be deployed but they should not share

subnet with authorized DHCP servers. Stand alone servers that are deployed together with

authorized servers are called rogue servers. The rogue server will automatically stop its

DHCP service when it detects authorized server on the subnet.

DHCP scope is a pool of IP addresses within a logical subnet which DHCP server assigns toits clients. Scopes provide for IP address management.

When an IP is offered for a client it is said that IP address is a lease. When the lease ismade it is said to be active. Leases are renewed for different reasons, client will try to

renew when 50% of old lease expires. The DHCP server has to have IP address compatible with the scope it is assigned, i.e. the

server itself has to be in the scope.

The 80/20 rule - to provide for fault tolerance in an environment with two DHCP servers,the first server (A) should have 80% of the addresses for his local subnet, 20% of addresses

for the subnet on which another DNS server (B) is present. The same assignment is

repeated on server (B) which gets 80% of addresses in its own subnet and 20% of

addresses in the subnet on which server (A) is present. This concept is applied when 2 or

more DHCP servers are present.

Reservations are placements in the scope reserved for specific computers. You reserve IPaddress for a specific network adapter using its MAC address. To create new reservationopen the scope in which you want to create new reservation r-click Reservations and

7/31/2019 MCSA-MCSE_2003_70-291

20/39

20


select New Reservation. Reservations cannot be used interchangeably with manual static

configurations. Reservations don't work when address is simultaneously reserved and

excluded. Reservations are used as an alternative to static addresses for computers that

are no essential to network function (i.e. not critical servers).

The scope needs to be activated before the server can hand out addresses (for ADintegration it also need to be authorized). To activate a scope open the DHCP console,

select scope you want to activate, from actions menu select Activate. Exclusion range - group of IP addresses residing in the scope that administrator doesn't

wish to be leased to DHCP clients

DHCP is an extension of the Boot Protocol (BOOTP). Microsoft DHCP server can assignaddresses to BOOTP clients.

[4.2] DHCP scope options

DHCP options can be configured on reservation, scope and server level. To configureoptions for reservation, select it and from the actions menu choose 'Configure options'. To

configure options for a scope select scope options folder and then 'Configure options'. To

configure server options select server options folder and then 'Configure options'

There are more than 60 different options available for the DHCP server, the most common(important ones are):

o 003 Router - IP addresses of routers on the same as client subnet, used by client forpacket forwarding

o 006 DNS servers - IP addresses of DNS serverso 015 DNS domain name - domain name DHCP clients should use when resolving

unqualified names during DNS domain name resolution; allows for client dynamic

DNS update

o 044 WINS/NBNS servers - IP addresses of WINS serverso 051 Lease - special lease option for remote clients

Options set on the DHCP server take effect when clients renew or obtain new lease[4.3] DHCP scope futures

Scope name page - you can give your scope a name IP address range - you can define starting and ending IP address of the scope and the

subnet mask. You should choose consecutive address range of the subnet and later

exclude the computers with static addresses.

Add exclusions - these are the addresses that will not be leased to DHCP clients Lease duration - length of lease Configure DHCP options - whatever to configure DHCP options for the scope through

further pages in the wizard or later in the DHCP console, you can configure options at the

reservations level, scope level or server level. There are more than 60 different DHCP

options.

Router (Default Gateway) - optional, which default gateway should be assigned to DHCPclients

Domain name and DNS servers - optional, which domain will be assigned as parent andwhich DNS servers will be given to the DHCP client

WINS servers - optional, addresses of WINS servers that are to be assigned to the DHCPclient

7/31/2019 MCSA-MCSE_2003_70-291

21/39

21


Activate scope - optional, whatever the scope will be activated after the DHCP wizardfinishes

[4.4] Managing DHCP server

To change the DHCP server status open the DHCP console, go to actions menu and selectone of Start, Stop, Pause, Restart and Resume

You can also use the Net command to change the status of DHCP server, the command linesyntax is Net [operation like start/stop/pause/continue] DHCP_server

You can manage DHCP server from command line using netsh command line tool, withdhcp subcommand option.

Superscope is an administrative grouping of scopes that is used to support multiple logicalsubnets also known as multinets on a single network segment. They exist on 1 physical

network and work with multiple logical networks. This method is used for DHCP server to

provide clients with addresses from multiple scopes. Administrator needs to delete the

superscope before deleting any scope that is contained within it. Superscopes group

scopes that can be activated together, it doesn't carry any details about the scopes.

To move a scope to a new addressing range first create a new scope with new range andthen activate it and deactivate the old scope. Either manually or by waiting make sure all

clients move to the new scope, delete old scope.

If a superscope is not defined on a server then only one scope can be active at a time. In order for the DHCP server to not assign already assigned IP address to a new client

DHCP has conflict detection (advanced tab of DHCP server properties) in which the server

pings the address it is about to assign in order to check whatever it is free.

Multicast scope - regular DHCP scopes to provide client configurations by allocating rangesof IP addresses from the standard classes (A, B, or C). The multicast address range uses an

extra address class, D, IP addresses from 224.0.0.0 to 239.255.255.255 for use in IP

multicasting. In every TCP/IP network, each host is gets own IP address, from regular

address classes. The unicast IP address is assigned before host can support and use

secondary IP addresses, such as a multicast IP address. Multiple PCs can share the same

multicast IP address. On private networks it is recommended to start with 239.192.0.0

range. When a packet is sent with destination that is a multicast address it gets delivered

to all PCs that have it. Multicast scopes are supported through the use of MADCAP

(Multicast Address Dynamic Client Allocation Protocol).

DHCP server performs backup by itself up every 60 minutes, you can also do manualbackup. Manual backup is performed from Backup command in the DHCP console. When

the backup is made the whole DHCP database is saved. Some things, like credentials are

not saved. The manual backup default location is %systemroot%\system32\dhcp\backup.

The following data is backed up: all scope information including superscopes and multicast

scopes, reservations, leases, all options. The database backup file is called DHCP.mdb.

o To change backup behaviour of DHCP server, one needs to edit the followingregistry keys:

o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupInterval\

o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCPServer\Parameters\BackupDatabasePath\

To migrate DHCP server all you need to do is move the database, simply back it up andthen restore it on the new computer

7/31/2019 MCSA-MCSE_2003_70-291

22/39

22


Jetpack.exe is a tool that allows support for offline compaction and repair of Jet databasessuch as DHCP or WINS. You can use dynamic compacting of DHCP server database without

the need to bring server offline, but offline defragmentation is more efficient. Compacting

should be done whenever the database size grows beyond 30 Mb or you get corruption

errors.

Option class - they way DHCP server manage provided to clients within a scope. When anoption class is added, clients of that class can get class specific configuration options. Thereare two types of classes, Vendor classes and User classes.

o Vendor class is used to assign vendor specific options to clients that share commonvendor

o User class is used to assign options to clients that share user defined similarities The DHCP server has a default user class called 'Default routing and remote access'.

Options in this class apply only to clients that request address while connecting through

Routing and Remote access. You can set different options, for example you can assign

shorter leases to the clients connected remotely (this is option number 051 Lease).

To create your own user or vendor class open DHCP console and r-click the DHCP serverand select 'Define User classes'. After defining a new class you need to assign ID to it andoptions. On the client side you need to make sure that the clients know in what class they

are, you do this by executing ipconfig /setclassid. To view all classes allowed by the DHCP

server execute ipconfig /showclassid

[4.5] DHCP and DNS working together

Windows 2000 and later computers try to register their own A record but they ask DHCPserver to register PTR record

By default the DHCP server only attempts to update client records if such operation isrequested by the client computer

You can also configure the DHCP server to attempt to update A and PTR records regardlessof clients requests

By default the DHCP server discards the A and PTR records when the lease expires (you canset it so they are kept)

By default DHCP server will not perform dynamic updates on behalf of older Windowsclients that don't request updates to be done

The update settings are configured on the DNS tab of DHCP server properties DnsUpdateProxy is a security group that sets records updated/created by its members in

security less setting (objects created by members of this group have no security related

settings). When a DHCP server that is not a member of the group modifies or creates an

entry in the DNS, it becomes the owner of that entry and only it can change the entry. This

might create problems when for example, client cannot modify a record because server

took ownership of the record. The membership of the DHCP server in this group solves

stale record problems.

Usage of the DnsUpdateProxy group also might cause some problems if the DHCP serviceis installed on a DC since all records created are not secure (same holds for the A records

of the non-DC DHCP servers, but one can modify these manually giving them an owner). In

particular, the records created by DC netlogon service are not secure.

[4.6] Analyzing DHCP server traffic

Communication between DHCP server and DHCP client for lease:

7/31/2019 MCSA-MCSE_2003_70-291

23/39

23


o Client seeking IP address brodcasts on the network DHCPDISCOVER messageo Any DHCP server that receives the message and has available IP addresses sends a

DHCPOFFER for a period of time called lease

o If no DHCP servers are available, the client can use APIPA or use alternativeconfiguration, older clients fail to initialize and continue to send DHCPDISCOVER

messages every 4 times per 5 minutes

o Client selects one of the offers and brodcasts DHCPREQUEST indicating its selectiono DHCP server sends DHCPACK message to the client with possible configuration

information like DNS server IPs

Communication between DHCP server and DHCP client for lease renewal:o Client computer sends DHCP Request message to the server that leased it the IP

address, it contains the FQDN of the client computer. The DHCP request message is

also used by the client to request dynamic updates from the DHCP server.

o If the DHCP server can be reached, it sends DHCPACK message back indicatingrenewal of the current lease (or remains silent)

o If the DHCP server cannot be reached then the client waits until it reaches therebinding state which usually occurs 7 days after last lease renewal. When thestate is reached the clients attempts to renew with any available DHCP server.

o If the server responds with DHCP offer message the client renews the lease andcontinues its operation

o If the lease expires and client doesn't renew it ceases to use the leased IP address.It then tries to obtain new IP address lease.

o DHCP Server can also issue DHCPNACK response indicating that the requested IPaddress is unavailable. In this case lease renewal fails and client is forced to initiate

new lease request process.

[4.7] DHCP audit logging

In its default configuration the DHCP server writes daily audit logs to the folder%systemroot%\system32\dhcp. The text files that are created there are named after the

day of the week they were created on. You can modify file location from the advanced tab

of the DHCP server properties. The files are in the format DhcpSrvLog-[3-letter day of the

week abbreviation].

You can turn logging off on the general tab of DHCP server properties. By default, thelargest log file is 1Mb and logging stops if the amount of disk drive space falls under 20

Mb.

The log file entry contains the ID, date, time, description, IP address, host name and MACaddress. A CSV format is used for columns, some may be blank.

The log file contains a summary of the event IDs that show up in the main body of the logfile up to event ID 50. Event IDs that have number above 50 are used for AD authorization

issues.

[4.8] DHCP problem resolution

The first step of fixing DHCP related problems is to make sure that there is no problemwith the client, use ipconfig command to verify connectivity. If an address conflict occurred

you will by warned of this by system tray warning popup as well as address conflict event

in system log.

7/31/2019 MCSA-MCSE_2003_70-291

24/39

24


Dhcploc.exe can be used to locate DHCP servers including rogue servers, this utility is partof Windows support tools. For AD authorized servers only, use command netsh dhcp show

server.

The repair button on the remote connection information screen performs these functions:o Broadcast DHCP Request message to renew the lease, if this computer is a DHCP

client

o Flush the arp cache, the same thing as arp -do Flush NetBIOS cache, same as nbtstat -Ro Flush DNS cache, same as ipconfig /flushdnso Register computer with WINS server, same as nbtstat -RRo Register computer with DNS server, same as ipconfig /registerdns

If the computer fails to connect to DHCP server make sure the network medium is up andthe DHCP server is operational. Make sure the scope is active and that it still has leases

available for its clients.

DHCP server knows from which scope to assign address by looking at the address of the1542 compliant router added to the discovery packet sent out by the client computer (no

extra IP added means local subnet) If a client get an IP address from DHCP server, but it is from the wrong scope, verify with

dhcploc utility presence of competing DHCP servers. Make sure all authorized servers are

leasing from non-overlapping ranges. A single DHCP server can have multiple scopes active

on it, scope not native to DHCP server's subnet are used for remote clients. DHCP matches

remote clients to their scope when RFC-1542 compliant router or DHCP relay agent is

properly configured. The DHCP Request message contains field named 'Giaaddr' which

contains originating subnet, when it is empty client is assumed local and assigned address

from local scope.

For a server to hand out addresses it must be on the same subnet as its clients and DHCPservice must be bound to the connection, this is checked from advanced tab in server

properties.

Make sure scope is active and that scope's network ID matches that of DHCP server. Also,through it sounds trivial, make sure DHCP server has some addresses available for a lease.

To accommodate more users you can simply shorten the lease duration. Don't forget static

addresses exclusions and reserved addresses

If the problem lies within the DHCP database, you will need to reconcile the DHCP data forone or all scopes. The data is stored in detailed and summary form on DHCP server, when

reconciling the data in these two forms is compared.

You can also use the jetpack utility to perform database compaction or use netsh dhcpserver set databaserestoreflag 1

When the administrator needs to renew IP addresses on few computers he can issuecommand ipconfig /renew on each one of them, in the case there are more computers, it

is easier to just re-boot them using shutdown /i command line utility (show nice GUI

interface).

To get a mac address only quickly and of any computer, including remote PCs, use getmac/s /v [server name] command line utility

Part 5: Implementing, configuring and troubleshooting routing and remote access in Windows

networks

[5.1] Chapter definitions

7/31/2019 MCSA-MCSE_2003_70-291

25/39

25


Routing is the process of transferring data from one local area network to another localarea network

Bridge is a network connection that connects two or more network segments and sharestraffic as necessary according to hardware addresses. A bridge is a layer two device (data

link).

Router is a device that receives and forwards traffic according to software addresses. Arouter is a layer three device according to OSI model.

Network interface is a software object that connects to a physical device such as modemor network card

Demand dial interfaces - these are interfaces such as VPN, persistent dial-up connectionand PPPoE connection. New demand dial interfaces are added through Network Interfaces

node.

Windows includes software router called Routing and Remote access service. This is amultiprotocol router capable of LAN to LAN, LAN to WAN, VPN, NAT routing through IP

networks. It also supports routing futures such as IP multicasting, demand-dialing, packet

filtering, DHCP relay, build in support for RIP 2 and OSPF.

Unnumbered connections - connections in which one or both of the logical interfaces failto obtain an IP address. The unnumbered connections happen mostly with demand-dial

connections when one (or both) routers don't support APIPA

NAT stands for network address translation and is a service that is part of a router in whichthe header information in IP datagrams is modified by the router before being sent out.

This allows many computer with private addresses to share a single public IP and still be

able to surf the net.

[5.2] Routing with Routing and remote access

The server computer needs to be configured with Routing and remote access since it isinstalled in disabled state. It will detect all installed network adapters and configure them.

However, the system administrator will need to setup all additional VPN and dial-up

connections since they are not pre-configured during setup.

When you add a new network card to already configured Routing and Remote accessservice, you will need to add a new interface through Routing and Remote access console

The number of network segments to which R&R access can act as a router is limited by thenumber of interfaces installed on the server.

Routing and Remote access properties for the IP routing node:o The general tab allows the network administrator to configure R&R access service

as LAN router, demand dial router or remote access server.

o The security tab allows the network administrator to configure authenticationmethods, connection request logging and preshared keys for IPSec protocol. All

options set on the security tab are applied to remote access clients and demand

dial routers.

o The IP tab allows the network administrator to configure how IP packets are routedover LAN, remote access or demand-dial connections. You have an option to use

DHCP server to assign IP addresses to remote hosts. If the DHCP server is not on

the same PC as the R&R access service it must be connected through DHCP relay

agent. If you don't have a DHCP server close at hand you can use static address

pool, R&R access service will act as a DHCP server. The "Enable Broadcast Name

Resolution" check box when checked enables R&R access clients to resolvecomputer names on all network segments connected to R&R access server without

7/31/2019 MCSA-MCSE_2003_70-291

26/39

26


the help of DNS or WINS servers, this option is enabled by default and it works by

permitting NetBT broadcasts from remote clients.

o The PPP tab allows the network administrator to authenticate and negotiate dial-up connections. You can enable or disable following options: Multilink connections,

Link control Protocol (LCP) extensions, software compression and Dynamic

Bandwidth Control with BAP or BACP, all options are enabled by default.

Multilink connections allow multiple physical links to operate as a singlelogical link increasing the bandwidth

Dynamic Bandwidth control with BAP or BACP when bandwidth demandschange multilink connections are created or dropped to allow for changes,

both protocols work together to provide bandwidth on demand (BOD)

Link Control Protocol (LCP) Extensions - support for advanced PPP futuressuch as callback, disable if client is older and cannot use these advanced

futures

Software compression - software based compression of data, leave onunless modem used can compress data at hardware level (no need to do

idle work at software level)o Logging tab allows administrator to select the events to be logged, by default only

errors are written to the log file. Log files are located in the %systemroot\tracing

directory.

IP routing properties, accessed from General Properties dialog box associated with generalsubnode of IP routing node

o Logging tab - which IP routing events are to be logged, by default only errors arelogged

o Preference levels tab allows the administrator to assign a priority to routescollected from various sources. When two different sources provide conflicting

routing information only one source's data can be entered into the routing table,

this data comes from the source with higher priority setting. The highest priority is

120, lowest is 1.

o Multicast scopes - add/remove multicast scopes (to add new scope provide itsname, base IP address and mask)

Routing and Remote access server supports SLIP and PPP for serial asynchronousconnections. PPP - Point-to-Point Protocol that provides advanced futures (like: IPX,

NetBEUI and TCP/IP, encrypted authentication if configured) not found in Serial Line

Internet Protocol (SLIP)

[5.3] Routing tables explained

There are three types of routes that one finds inside a routing table:o Default route - there is a single entry for this route in the table, the address

provided is used as a destination for packets whose address doesn't match any

other entry in the routing table. This route is indicated by both address and

network mask of 0.0.0.0

o Host route - provides route to a specific host or a broadcast address, this type ofroutes is marked by network mask of 255.255.255.255

o Network route - provides route to a specific network, this type of routes can have asubnet mask between 0.0.0.0 and 255.255.255.255

To view the routing table of any computer (for any computer has one) from command linetype route print

7/31/2019 MCSA-MCSE_2003_70-291

27/39

27


Routing tables are organized into five columns, which are in the following order: Networkdestination, Netmask, Gateway, Interface and Metric

o Network Destination - router compares entries from this column with destinationaddress of every IP packet. The 0.0.0.0 entry is the default route, 127.0.0.1 is the

loopback device. Each entry with 224.0.0.0 refers to multicast route. Entries with

last octet of 255 represent broadcast addresses, the 255.255.255.255 is the limited

broadcast address which is general for all networks and routers, other broadcastaddresses are limited broadcast addresses.

o Netmask - the value of this column determines which part of the IP addresspacket's destination is compared to the entries in the Network Destination column.

The closest match determines the route that the packet will be given

o Gateway - the value represents the address the packet will take if this particularroute is chosen. The address should be different than the Network Destination

value on the same row in the table. The gateway is the direction a packet takes in

its voyage to the destination address (network destination). It is logical that the

direction one must take to arrive at X is different than X itself.

oInterface - the value of the local network interface that will be used to transportthe packet if this route is chosen

o Metric - the cost of using a route, lower metric values carry more weight comparedto higher values, so value of 1 is higher than 50. RIP uses the number of hops to

determine route's metric.

By default the computer will preset certain route entries, however to implement smoothcommunication with hosts that are outside broadcast range one must set up either static

or dynamic routing

Static routing is when administrator adds new routes to the routing table, routers do notshare routing information and tables have to be manually checked for accuracy. This

makes static routing difficult in large networked environments. Static routing works best

for small single path internetworks with 10 or less subnets. Static routing supports

unnumbered connections. Static routes survive server restart since they are persistent.

You can add new static routes from the Routing and Remote access console or using thecommand line, route add [destination address] mask [netmask] [gateway] metric [metric

cost] if [interface]. Please note that the static routes added with the command line utility

route are not persistent by default. To make them persistent use -p switch. If routes are

not persistent they are not listed under the 'static heading in the R&R access console.

To delete a route from command line use route delete [destination address] In real life static routes are rarely used since RIP is easy to configure. You might need to

use static routes for connections to remote routers that are intermittent since dynamic

routing protocols require too much communication over the link.

You should avoid placing default route for two or more routers that point to each othersince that puts unreachable traffic into an endless loop.

Dynamic routing uses RIP 2 or OSPF to share information between routers and ensure thatthe routing tables are build and kept accurate dynamically

There is nothing to be done as far as configuration is concerned by the administrator if therouter is physically connected to all network segments

[5.4] Configuring routing protocols

Windows Server supports four routing protocols, RIP, OSPF, multicast IGMP and DHCPRelay agent

7/31/2019 MCSA-MCSE_2003_70-291

28/39

28


RIP (Routing Information Protocol) uses lowest cost route choosing, routes with costhigher than 15 are discarded, limiting the network size. RIP routers advertise their whole

tables to each other every 30 seconds.

RIP works best in small to medium sized networks with a maximum of 15 routers,multipath networks with dynamic topology are well suited for RIP.

The main advantage of RIP is its ease of use, its disadvantage is its limited hop based costestimate and 15 hop size limit

RIP can use simple password authentication that prevents attacker from polluting therouting tables, unfortunately passwords are plain text. You can configure list of routers

(peer filtering) from which your router is to accept RIP announcements (by IP address).

You can configure route filters on each RIP interface thus making routes that are reachable

from your network the only ones that will be considered for addition to the routing table.

By default RIP either uses broadcasts or multicasts (only in RIP 2). To prevent traffic frombeing sent to nodes that are not RIP routers system administrator can set RIP neighbors.

OSPF (open shortest path first) is an efficient protocol which uses shortest path firstalgorithm to compute routes. OSPF routers don't share routing tables, instead they rely on

a map called link state database of the internetwork. Neighboring routers form anadjacency.

The OSPF protocol can scale to very large networks due to no hop limit, fast convergencetimes, little network bandwidth and loop-free routes. Unfortunately it is not supported on

the 64bit edition of Windows 2003 server.

The changes to the network topology are sent to all routers in the network, whichrecompute their routing tables

The OSPF divides the network into areas (collection of continuous networks) which areconnected to each other through backbone. Each router keeps a link state database only

for areas to which it is connected. Area border routers connect to the backbone area and

other areas. OSPF also supports stub areas which contain only one entry and exit points.

DHCP relay agent is a routing protocol that allows client computers to obtain an addressfrom a DHCP server on a remote subnet. DHCP server send their DHCP Discover packets as

broadcasts that are blocked by routers, one either needs to deploy RFC 1542 compliant

router or a DHCP Relay Agent for these packets to get through to the other subnet. You

cannot use DHCP Relay Agent on a computer that is also running DHCP server, the NAT

(with automatic addressing turned on) or ICS. You install DHCP relay agent just like any

other protocol. Routers that are RFC 1542 compliant use BOOTP (boot protocol) for DHCP

packet forwarding.

[5.5] Demand-dial routing

You can enable the on demand-dial routing from the general tab of the Routing andRemote Access properties

You can set dial credentials, get unreachability reason, set IP demand-dial filters and dial-out hours from the actions menu. These options are only for the demand dial interface.

On the properties page of the demand-dial router you can set modem futures such assource phone number, dialing properties such as call frequency, security protocol used -

CHAP by default.

You can access port and device properties from the ports node. From this dialog box youcan configure your modem as to whatever it will be used for inbound or/and outbound

connections. You can also set devices phone number.

7/31/2019 MCSA-MCSE_2003_70-291

29/39

29


Clicking on General node of IP Routing when demand dial is activated reveals some specificto dial-in commands (when one r-clicks on the demand dial interface):

o Update routes is used to update routes if RIP is installed. Static routes are updatedand are known as autostatic routes. Autostatic routes are used instead of normal

RIP router to router communication due to the nature of the connection (demand

dial).

o TCP/IP statistic allows administrator to see information similar to one provided byipconfig and netstat

o IP routing interface properties is a shortcut to another dialog box that has General,Multicast boundaries and Multicast heartbeat tabs

On the General tab "Enable IP Router Manager" is enabled by default, it isservice that is responsible for numerous futures such as ip packet filtering, if

you disable it the administrative status of the device changes to disabled.

Another option is "Enable Router Discovery Advertisements" check box, off

by default, it is a future in which network hosts send out router solicitations

to discover routers, it needs to be configured at the host. Pocket filtering is

handled by two buttons, Inbound and outbound filters. Part of packetfiltering is the "Enable fragmentation checking" check box, off by default.

Multicast boundaries tab - administrative barriers for forwarding of IPmulticast traffic. If boundaries didn't exist then IP multicast router would

forwards all appropriate IP multicast traffic. You can configure the boundary

using multicast scope or TTL in the IP header.

Multicast heartbeat tab - server listens for a regular multicast notificationfor a specified group address to verify that IP multicast connectivity is

available on the network. You can configure timeout interval and the group

address.

Demand dial router to router configuration options:o Connection endpoint addressing - end point of a connection that goes over a

public network must be identified by an endpoint identifier (such as a phone

number).

o Both ends of the demand dial connection must be configured for normal (bi-directional) traffic to flow, they both need R&R access to be running

o Authentication of the caller router is based on credentials that correspond to useraccount, authorization of the caller router is based on user permissions.

o The process of differentiating a router and a user calling is done by matching theuser name to the interface being called, it is a router calling if the user name

matches exactly the name of the demand dial interface on the answering router.

o Static routes are to be configured for both connection ends, the check box 'use thisroute to initiate demand dial connection' should be checked

[5.6] Configuring NAT

NAT - network address translation is a service that modifies packet header informationbefore sending them to their

MCSA-MCSE_2003_70-291

Documents

Transcript of MCSA-MCSE_2003_70-291